Schools and Libraries Cybersecurity Pilot Program, 90141-90163 [2023-27811]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 88, Number 249 (Friday, December 29, 2023)]
[Proposed Rules]
[Pages 90141-90163]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-27811]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 54

[WC Docket No. 23-234; FCC 23-92; FRS ID 190276]


Schools and Libraries Cybersecurity Pilot Program

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
(Commission) proposes a three-year pilot program within the Universal 
Service Fund (USF or Fund) to provide up to $200 million available to 
support cybersecurity and advanced firewall services for eligible 
schools and libraries.

DATES: Comments are due on or before January 29, 2024 and reply 
comments are due on or before February 27, 2024. Written comments on 
the Paperwork Reduction Act proposed information collection 
requirements must be submitted by the public, Office of Management and 
Budget (OMB), and other interested parties on or before February 27, 
2024.

ADDRESSES: Pursuant to Sec. Sec.  1.415 and 1.419 of the Commission's 
rules, 47 CFR 1.415, 1.419, interested parties may file comments and 
reply comments. You may submit comments, identified by WC Docket No. 
23-234, by any of the following methods:
     Electronic Filers: Comments may be filed electronically 
using the internet by accessing the ECFS: https://www.fcc.gov/ecfs/.
     Paper Filers: Parties who choose to file by paper must 
file an original and one copy of each filing.
     Filings can be sent by commercial overnight courier or by 
first-class or overnight U.S. Postal Service mail. All filings must be 
addressed to the Commission's Secretary, Office of the Secretary, 
Federal Communications Commission.
     Commercial overnight mail (other than U.S. Postal Service 
Express Mail and Priority Mail) must be sent to 9050 Junction Drive, 
Annapolis Junction, MD 20701.
     U.S. Postal Service first-class, Express, and Priority 
mail must be addressed to 45 L Street NE, Washington, DC 20554.
     Effective March 19, 2020, and until further notice, the 
Commission no longer accepts any hand or messenger delivered filings at 
its headquarters. This is a temporary measure taken to help protect the 
health and safety of individuals, and to mitigate the transmission of 
COVID-19. See FCC Announces Closure of FCC Headquarters Open Window and 
Change in Hand-Delivery Policy, Public Notice, DA 20-304 (March 19, 
2020), https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
     People With Disabilities: To request materials in 
accessible formats for people with disabilities (Braille, large print, 
electronic files, audio format), send an email to [email protected] or 
call the Consumer & Governmental Affairs Bureau at (202) 418-0530 
(voice), (202) 418-0432 (TTY).
     Availability of Documents: Comments, reply comments, and 
ex parte submissions will be publicly available online via ECFS.

FOR FURTHER INFORMATION CONTACT: Joseph Schlingbaum 
[email protected] in the Telecommunications Access Policy 
Division, Wireline Competition Bureau, 202-418-7400 or TTY: 202-418-
0484. For information regarding the PRA information collection 
requirements contained in this PRA, contact Nicole Ongele, Office of 
Managing Director, at 202-418-2991 or [email protected]. Requests 
for accommodations should be made as soon as possible in order to allow 
the agency to satisfy such requests whenever possible. Send an email to 
[email protected] or call the Consumer and Governmental Affairs Bureau at 
(202) 418-0530.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's 
Schools and Libraries Cybersecurity Pilot Program, Notice of Proposed 
Rulemaking (NPRM) in WC Docket No. 23-234; FCC 23-92, adopted November 
8, 2023 and released November 13, 2023. The full text of this document 
is available at the following internet address: https://www.fcc.gov/document/fcc-proposes-schools-libraries-cybersecurity-pilot-program-0.

Initial Paperwork Reduction Act of 1995 Analysis

    This document contains proposed information collection 
requirements. The Commission, as part of its continuing effort to 
reduce paperwork burdens, invites the general public and the Office of 
Management and Budget (OMB) to comment on the information collection 
requirements contained in this document, as required by the Paperwork 
Reduction Act of 1995, Public Law 104-13. Public and agency comments 
are due February 27, 2024. Comments should address: (a) whether the 
proposed collection of information is necessary for the proper 
performance of the functions of the Commission, including whether the 
information shall have practical utility; (b) the accuracy of the 
Commission's burden estimates; (c) ways to enhance the quality, 
utility, and clarity of the information collected; (d) ways to minimize 
the burden of the collection of information on the respondents, 
including the use of automated collection techniques or other forms of 
information technology; and (e) way to further reduce the information 
collection burden on small business concerns with fewer than 25 
employees. In addition, pursuant to the Small Business Paperwork Relief 
Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), the 
Commission seeks specific comment on how it might further reduce the 
information collection burden for small business concerns with fewer 
than 25 employees.
    OMB Control Number: 3060-XXXX.
    Title: Schools and Libraries Cybersecurity Pilot Program.
    Form Numbers: FCC Forms 470, 471, 472, 474--Cybersecurity, 484 and 
488--Cybersecurity.
    Type of Review: New collection.
    Respondents: State, local or tribal government institutions, and 
other not-for-profit institutions.
    Number of Respondents and Responses: 23,000 respondents; 201,100 
responses.
    Estimated Time per Response: 4 hours for FCC Form 470--
Cybersecurity, 5 hours for FCC Form 471--Cybersecurity, 1.75 hours for 
FCC Forms 472/474--Cybersecurity, 15 hours for FCC Form 484, and 1 hour 
for FCC Form 488--Cybersecurity.
    Frequency of Response: On occasion and annual reporting 
requirements, and recordkeeping requirement.
    Obligation to Respond: Required to obtain or retain benefits. 
Statutory authority for this collection of information is contained in 
sections 1-4, 201-202, 254, 303(r), and 403 of the Communications Act 
of 1934, as amended, 47 U.S.C. 151-154, 201-202, 254, 303(r), and 403.
    Total Annual Burden: 743,900 hours.
    Total Annual Cost: No Cost.
    Needs and Uses: The information collected is designed to obtain 
information from applicants and service providers that will be used by 
the Commission and/or USAC to evaluate

[[Page 90142]]

the applications and select participants to receive funding under the 
Cybersecurity Pilot Program, make funding determinations and disburse 
funding in compliance with applicable federal laws for payments made 
through the Pilot program. The Commission will begin accepting 
applications to participate in the Cybersecurity Pilot Program after 
publication of its Report and Order and notice of OMB approval of the 
Cybersecurity Pilot Program information collection in the Federal 
Register.
    On November 8, 2023, the Commission adopted a NPRM in WC Docket No. 
23-234, Schools and Libraries Cybersecurity Pilot Program. The 
Commission proposes a three-year pilot program within the Universal 
Service Fund to provide up to $200 million available to support 
cybersecurity and advanced firewall services for eligible schools and 
libraries. Accordingly, the Commission proposes to add subpart T to 
part 54 of its rules.

Synopsis

I. Introduction

    1. Broadband connectivity and internet access are increasingly 
important for K-12 students and adults alike. Whether for online 
learning, job searching, or connecting with peers and the community, 
high-speed broadband is critical to educational and personal success in 
the modern world. However, although broadband connectivity and internet 
access can simplify and enhance the daily lives of K-12 students, 
school staff, and library patrons, they can also be used by malicious 
actors to steal personal information, compromise online accounts, and 
cause online personal harm or embarrassment. Similarly, while advances 
in online technology benefit K-12 schools and libraries by expanding 
teaching and education beyond the physical confines of a school or 
library building, and permitting students and library patrons to 
complete online homework assignments, conduct online research, and 
learn the computer skills necessary to secure a job in the future, K-12 
schools and libraries increasingly find themselves targets for 
attackers who would disrupt their ability to educate, illegally obtain 
sensitive student, school staff, and library patron data, and hold 
their broadband networks hostage to extract ransom payments. Given the 
growing importance of broadband connectivity and internet access for K-
12 schools and libraries, the Commission proposes a three-year pilot 
program within the Universal Service Fund (USF or Fund) to provide up 
to $200 million available to support cybersecurity and advanced 
firewall services for eligible schools and libraries.
    2. Specifically, in the NPRM, the Commission proposes the creation 
of a Schools and Libraries Cybersecurity Pilot Program (Pilot or Pilot 
program) that would allow us to obtain valuable data concerning the 
cybersecurity and advanced firewall services that would best help K-12 
schools and libraries address the growing cyber threats and attacks 
against their broadband networks and data, while also helping us to 
better understand the most effective way USF support could be used to 
help schools and libraries address these significant concerns while 
promoting the E-Rate program's longstanding goal of promoting basic 
connectivity. It is clear that the E-Rate program alone cannot fully 
address the K-12 schools' and libraries' cyber concerns and protect 
their broadband networks and data from cyber threats and attacks. As 
proposed, the Pilot seeks to learn more about which cybersecurity and 
advanced firewall services will have the greatest impact in helping K-
12 schools and libraries protect their broadband networks and data, 
while also ensuring that limited USF funds are being utilized in an 
effective manner. For example, the Commission expects that this Pilot 
will necessarily need to ensure that participating K-12 schools and 
libraries fully leverage the free and low-cost K-12 cybersecurity 
resources provided by our federal partners, the Department of Homeland 
Security's (DHS) Cybersecurity and Infrastructure Security Agency 
(CISA), and the U.S. Department of Education (DOE), to complement the 
Pilot's work and make the most effective use of Pilot program funding.
    3. As discussed further below, the Commission proposes that the 
program operate as a new Pilot within the USF, which would provide 
funding to eligible K-12 schools and libraries to defray the qualifying 
costs of receiving the cybersecurity and advanced firewall services 
needed to protect their E-Rate-funded broadband networks and data from 
the growing number of K-12 school- and library-focused cyber events. 
Additionally, the Commission seeks comment on the applicability of the 
Children's Internet Protection Act (CIPA) to the Pilot program and USF-
funded cybersecurity and advanced firewall services for schools and 
libraries.
    4. The Commission expects this Pilot program will benefit K-12 
schools and libraries that are responding to a wide breadth of cyber 
threats and attacks that impact their ability to protect their 
broadband networks and data. Data gathered from the Pilot program will 
help us understand whether and how USF funds could be used to help 
address the K-12 school and library cybersecurity challenges, and the 
data and information collected through this Pilot program may also aid 
in the consideration of broader reforms across the government--
including potential statutory changes--to help schools and libraries 
address the significant K-12 school and library cybersecurity concerns. 
In proposing this Pilot, the Commission is mindful of the E-Rate 
program's longstanding goal of promoting basic connectivity, its 
obligations to be a careful and prudent steward of the limited 
universal service funding, and the need to balance its actions in this 
proceeding against competing priorities, bearing in mind that this 
funding is obtained though assessments collected from 
telecommunications carriers that are typically passed on to and paid 
for by U.S. consumers.

II. Discussion

    5. Mindful of the need to protect universal service funding and 
aware that basic firewall services may be insufficient alone to protect 
E-Rate-funded broadband networks, the Commission proposes a three-year 
Pilot program to ascertain whether supporting cybersecurity and 
advanced firewall services with universal service support could advance 
the key universal service principles of providing quality internet and 
broadband services to K-12 schools and libraries at just, reasonable, 
and affordable rates; and ensuring schools' and libraries' access to 
advanced telecommunications provided by Congress in the 
Telecommunications Act of 1996. To accomplish this, the Commission 
proposes a pilot structure similar to the one it used in the Connected 
Care Pilot Program. Specifically, interested K-12 schools and libraries 
would apply to be Pilot program participants by submitting an 
application containing information about how they would use the Pilot 
funds and providing information about their proposed cybersecurity and 
advanced firewall projects. If selected, the applicants would apply for 
funding for Pilot-eligible services and equipment. Pilot participants 
receiving a funding commitment would be eligible to begin receiving 
cybersecurity and advanced firewall services and equipment, and would 
submit invoices for reimbursement.

[[Page 90143]]

    6. It is important that the Commission defines the goals of the 
proposed Pilot program, as well as establish criteria to measure 
progress towards those goals. This will help the Commission and other 
federal, state, and local stakeholders to determine whether, and how, 
to provide funding for cybersecurity and advanced firewall services 
after the Pilot ends. To that end, the Commission proposes three goals: 
(1) improving the security and protection of E-Rate-funded broadband 
networks and data; (2) measuring the costs associated with 
cybersecurity and advanced firewall services, and the amount of funding 
needed to adequately meet the demand for these services if extended to 
all E-Rate participants; and (3) evaluating how to leverage other 
federal K-12 cybersecurity tools and resources to help schools and 
libraries effectively address their cybersecurity needs.
    7. Improving the security and protection of E-Rate-funded broadband 
networks and data. The Commission first proposes a goal for the 
proposed Pilot program of improving the security and protection of E-
Rate-funded broadband networks and data. As the Council of the Great 
City Schools stated, ``schools and libraries desperately need 
assistance to acquire advanced . . . firewalls to protect the integrity 
of their broadband connections, networks and data.'' Funding made 
available by the proposed Pilot may be able to help participants 
acquire the cybersecurity and advanced firewall services and equipment 
needed to improve the security and protection of their broadband 
networks and data. The Commission seeks comment on how it can measure 
whether the Pilot is effective in protecting and securing E-Rate-funded 
broadband networks and data. The Commission also seeks comment on this 
proposed goal and related questions.
    8. Measuring the costs and effectiveness of Pilot-funded 
cybersecurity and advanced firewall services and equipment. Next, the 
Commission proposes a goal of measuring the costs and effectiveness of 
cybersecurity and advanced firewall services and equipment. The Pilot 
can help the Commission and other federal, state, and local government 
agencies gather additional data on the types of new services and 
equipment that applicants will purchase to address network and data 
security concerns, and the associated cost and effectiveness of Pilot-
funded services and equipment. Data provided in FCC Forms 470 and 471 
(or their Pilot program equivalent) can aid the Commission in measuring 
the costs of cybersecurity and advanced firewall services and 
equipment. What data should be collected on the effectiveness of the 
funded equipment and services? For example, should Pilot participants 
be required to submit data on the number of intrusion attempts, number 
of successful attacks, mean time to detection and response, estimated 
cost of each attack, etc.? What other accepted metrics should the 
Commission requires Pilot participants to monitor and record? For 
example, should the Commission collect data on the number and percent 
of students and school and library staff using multi-factor 
identification, the frequency of school and library staff and, 
separately, student cyber training sessions, and participation rates? 
Should Pilot participants be required to assess awareness and readiness 
of school and library staff based on available guidance from CISA or 
other expert organizations? Should all or some of these potential 
requirements be standardized across Pilot participants to allow for 
comparative analysis of outcomes? The proposed intent of this Pilot is 
to also determine the most cost-effective use of universal service 
funding to help schools and libraries proactively address K-12 
cybersecurity issues. The Commission seeks comment on this proposed 
goal and related questions.
    9. Evaluating how to leverage other federal resources to address 
schools' and libraries' cybersecurity threats. Third, the Commission 
proposes a goal of evaluating how to best leverage other federal 
resources to help schools and libraries proactively address K-12 
cybersecurity issues. CISA, DOE, and NIST have made a wide array of 
free and low-cost K-12 cybersecurity tools and resources available to 
schools and libraries. Also, as discussed, more resources beyond 
funding are needed for schools and libraries to effectively protect 
their broadband networks and data from cyberattacks and other cyber 
threats. As part of this Pilot, the Commission intends to coordinate 
with its federal partners in identifying the most impactful tools and 
resources to help schools and libraries effectively protect themselves 
and address these cybersecurity issues. For example, DOE plans to 
establish a Government Coordinating Council (Council) to coordinate the 
activities of federal leaders in taking actions to help protect school 
networks. What role can the Pilot play to complement the efforts of 
other agencies that will participate in the Council? In addition, the 
CISA K-12 Cybersecurity Report contains three key recommendations for 
schools and libraries that would immediately improve their 
cybersecurity postures, the first of which recommends implementing a 
``small number of the highest priority steps'', including implementing 
multi-factor authentication, fixing known cybersecurity flaws, 
performing and testing back-ups, minimizing exposure to common attacks, 
developing and exercising a cyber incident response plan, and creating 
a training and awareness campaign. Should the Pilot target funding to 
allow schools and libraries to implement some or all of the items 
contained in the list of highest priority steps from CISA's first 
recommendation to help them address K-12 cybersecurity issues (e.g., 
multi-factor authentication, correcting known security flaws, 
performing and testing system backups, etc.)? Should schools and 
libraries be required to implement a certain number of these free and 
low-cost tools to be eligible to receive Pilot funding for 
cybersecurity and advanced firewall services, and if so how should this 
requirement be enforced? Furthermore, DOE has made a number of 
recommendations in its K-12 Digital Infrastructure Briefs aimed at 
making K-12 networks safe, accessible, resilient, sustainable, and 
future-proof. How should the Pilot account for these recommendations? 
How can the Pilot funding incentivize schools and libraries to take 
full advantage of other available free and low-cost K-12 cybersecurity 
tools and resources? How can the Pilot leverage USAC's established 
relationships with and processes for distribution of training to the 
schools and libraries to facilitate the efforts of CISA, DOE, and NIST 
in order to provide technical assistance or capacity building for Pilot 
participants? The Commission seeks comment on this proposed goal and 
how best to implement and measure success.
    10. How can the Commission best measure progress towards these 
proposed performance goals, to ensure that the limited Pilot funds are 
used most impactfully and effectively to help schools and libraries 
protect their broadband networks and data? For example, by what 
objective criteria can the Commission determine whether the funding 
provided through the Pilot actually improved the protection and 
security of schools' and libraries' broadband networks and data? What 
information would the Commission need to collect to compare Pilot 
results against those criteria? Are there best practices and 
recommendations that the Commission can rely on from expert

[[Page 90144]]

agencies or organizations that have undertaken similar or related 
cybersecurity pilots? What outcomes should the Commission measure? For 
example, in this Pilot should the Commission measure the reductions in 
the number of cyberattacks; average cost of an attack; time to detect 
and respond to a cyber threat; staff and user awareness/readiness; or 
some other measure(s)?
    11. How should the Commission evaluate the Pilot? The Commission 
proposes that Pilot participants submit certain information to apply 
for the Pilot, a progress report for each year of the pilot, and a 
final report at the conclusion of the Pilot program. The Commission 
further proposes that these reports contain information on how the 
Pilot funding was used, any changes or advancements that were made to 
the school's or library's cybersecurity efforts outside of the Pilot-
funded services and equipment, and the number of cyber incidents that 
occurred each year of the Pilot program and whether the school or 
library was successful in defending its broadband network and data for 
each incident. The Commission seeks comment on these proposals. Are 
there any other cybersecurity assessments or evaluations that 
participants should conduct to determine whether the Pilot-funded 
cybersecurity and advanced firewall services and equipment bolstered 
the school's or library's cybersecurity posture, even absent a breach 
or other cyber incident? What is the data or information that the 
Commission should be collecting in the proposed progress and final 
reports? What could the Commission do to allow comparability across 
pilots? Are there any public sources of information that the Commission 
can also use to determine the impact of the Pilot program in addressing 
K-12 cybersecurity issues, and if so, does this data impact what the 
Commission require participants to submit in their reports to the 
Commission?
    12. Next, the Commission discusses the overall structure for the 
proposed Pilot program. Building on its experience administering the 
Connected Care Pilot Program, the Commission proposes a similar 
structure for the proposed Pilot program, and discuss in more detail 
below.
    13. Overall Structure. The Commission proposes to structure the 
proposed Pilot program in a manner similar to the Connected Care Pilot 
Program. Under this proposal, interested schools and libraries would 
apply to be a Pilot participant. Those schools and libraries that are 
selected to participate will be provided an opportunity to apply for 
Pilot funding for eligible services and equipment. Participants will 
then receive a funding commitment, and can begin to receive equipment/
services and submit invoices for reimbursement. Further, the Commission 
proposes that the Universal Service Administrative Company (USAC), the 
FCC's administrator for universal service programs, be appointed as the 
permanent administrator of the Pilot program. The Commission seeks 
comment on this general structure for the proposed Pilot program.
    14. The Commission further proposes that interested participants 
will be required to submit an application describing their proposed use 
of Pilot funds, and provide information that will facilitate the 
selection of high-quality projects that will best further the goals of 
the proposed Pilot program. At a minimum, the Commission proposes that 
Pilot applications require the following information:
    i. Name, address, and contact information for the interested school 
or library. For school district or library system applicants, the name 
and address of all schools/libraries within the district/system, and 
contact information for the district or library system.
    ii. Description of the Pilot participant's current cybersecurity 
posture, including how the school or library is currently managing and 
addressing its current cybersecurity risks through prevention and 
mitigation tactics, and a description of its proposed advanced 
cybersecurity action plan should it be selected to participate in the 
Pilot program and receive funding.
    iii. Description of any incident of unauthorized operational access 
to the Pilot participant's systems or equipment within a year of the 
date of its application; the date range of the incident; a description 
of the unauthorized access; the impact to the K-12 school or library; a 
description of the vulnerabilities exploited and the techniques used to 
access the system; and identifying information for each actor 
responsible for the incident, if known.
    iv. Description of the Pilot participant's proposed use of the 
funding to protect its broadband network and data and improve its 
ability to address K-12 cyber concerns. This description should include 
the types of services and equipment the participant plans to purchase 
and the plan for implementing and using the Pilot-funded equipment and 
services to protect its broadband network and data, and improve its 
ability to manage and address its cybersecurity risks.
    v. Description of how the Pilot participant plans to collect and 
track its progress in implementing the Pilot-funded equipment and 
services into its cybersecurity action plan, and for providing the 
required Pilot data, including the impact the funding had on its 
initial cybersecurity action plan that pre-dated implementation of 
Pilot efforts.
    The Commission seeks comment on these proposed requirements, and 
whether additional information should also be required. The Commission 
proposes that Pilot participants will submit these applications via an 
online platform, designed and operated by USAC, and seek comment on 
this proposal. Are there any confidentiality or security concerns with 
providing the above information, and if so, what protections should be 
implemented to protect potentially sensitive data regarding a 
prospective applicant's current cybersecurity posture? How can the 
Commission best leverage its experience receiving applications in USF 
programs, for example, E-Rate, Rural Health Care, and the Connected 
Care Pilot Program, as well as in the appropriated programs, like 
COVID-19 Telehealth, Emergency Connectivity Fund (ECF), and the 
Affordable Connectivity Program (ACP) Outreach grants? Are there any 
lessons learned from the Connected Care Pilot Program and other FCC 
pilot programs that the Commission can benefit from when establishing 
the proposed Pilot program? The Commission further proposes that the 
Bureau review applications and select participants, in consultation 
with the Office of Economics and Analytics (OEA), the Public Safety and 
Homeland Security Bureau (PSHSB), and the Office of the Managing 
Director (OMD), as needed, and seek comment on this proposal. Lastly, 
to assist with program administration and ensure that the proposed 
Pilot program runs efficiently, the Commission proposes to delegate to 
the Bureau the authority to implement the proposed Pilot program and to 
direct USAC's administration of the Pilot program, consistent with the 
Commission's rules and orders, and seek comment on this proposal.
    15. Pilot Program Duration. The Commission proposes that the Pilot 
program will make funding available to participants for a three-year 
term, and seek comment on this proposal. Does a three-year term provide 
sufficient data to the Commission to evaluate how effective the Pilot 
funding is in protecting K-12 schools and libraries,

[[Page 90145]]

and their broadband networks and data, from cyberattacks and other 
cyber threats? The Commission acknowledges that there may be a tradeoff 
between learning more from the Pilot program and moving quickly to 
potentially expand support to protect all K-12 schools' and libraries' 
broadband networks and data from cyber threats. Are there ways to 
shorten the length of the Pilot, for example, by using a single 
application window that remains open until funds are exhausted, without 
compromising the amount or quality of the data the Pilot will generate? 
Should the Pilot program period include additional ramp-up time, to 
allow participants an opportunity to prepare for the Pilot? Should the 
Pilot program include additional time at the end of the three-year term 
for the Commission to evaluate results? The Commission seeks comment on 
the three-year term proposal and these related questions.
    16. Pilot Budget. The Commission proposes a budget of $200 million 
over the three-year duration of the proposed Pilot program, and seek 
comment on this proposal. Will a budget of $200 million be sufficient 
to obtain and receive meaningful data on how this funding helped to 
protect schools' and libraries' broadband networks and data and 
improved their ability to address K-12 cyber issues? Conversely, would 
a lower budget be sufficient for these purposes (e.g., $100 million) 
while also putting less pressure on the contribution factor? How should 
the total Pilot program budget be distributed over the three-year 
funding period? Should each selected project's funding commitment be 
divided evenly across the Pilot program duration? For example, if a 
selected project requests and receives a $9 million funding commitment 
and the funding period is three years, should the project receive $3 
million for each year? Alternatively, are there reasons why a Pilot 
participant may need access to a greater amount of funding up front? If 
the Commission allows Pilot participants to access a greater amount 
earlier in the term, how can the Commission forecast a predictable 
budget over the three-year term? The Commission seeks comment on these 
questions.
    17. As this proposed Pilot should not divert resources from the 
existing universal service support programs, the Commission proposes 
requiring USAC to separately collect on a quarterly basis the funds 
needed for the duration of the Pilot program. The Commission expects 
that funding the Pilot program in this manner would not significantly 
increase the contributions burden on consumers. This approach also 
would not impact the budgets or disbursements for the other universal 
service programs. The Commission seeks comment on this approach. Should 
the collection be based on the quarterly demand for the Pilot program? 
The Commission also proposes to have excess collected contributions for 
a particular quarter carried forward to the following quarter to reduce 
collections. Under this approach, the Commission also proposes to 
return to the Fund any funds that remain at the end of the Pilot 
program. Are there other approaches the Commission should consider for 
funding the Pilot program? Are there any tradeoffs between allocating 
funding to the proposed Pilot program as it relates to the size of the 
E-Rate program and the USF more generally? The Commission also seeks 
comment on whether the costs associated with the proposed Pilot program 
will impact other stakeholders' requests related to the use of 
universal service and E-Rate funding, such as allowing ECF-funded 
services to continue to be funded through the E-Rate program after the 
ECF program sunsets. Will the proposed $200 million budget help 
alleviate any concerns about the impact that this Pilot may have on the 
USF? How can the Commission best balance the need to provide funding 
for cybersecurity and advanced firewall services with its 
responsibility as a careful and prudent steward of limited federal 
resources?
    18. Should the Commission establish a maximum funding cap per Pilot 
participant? Should the Commission establish a per-student cap (and a 
corresponding cap on libraries based on their square footage), based on 
commercially available costs? Are there data sources for cost 
information that would be appropriate to use in setting such a cap? Or 
should the Commission allow selected Pilot participants to receive a 
different amount of funding that aligns with their application? Should 
the Commission adjust awards based on the Pilot participant's category 
two discount rate level? Should Pilot participants be required to 
contribute and be responsible for a portion of the costs in order to 
receive Pilot program funding? For example, the Commission proposes 
that Pilot participants will be subject to their current category two 
discount rate as the non-discounted share of costs for the Pilot 
program; should the Commission instead require participants to 
contribute a fixed percentage of the costs of the services and 
equipment purchased? How can the Commission ensure Pilot participants 
are making cost-effective purchases through this Pilot program?
    19. Should the Commission disburse a smaller amount of funding to a 
larger number of Pilot participants to increase the total volume of 
cybersecurity data available? Or should the Commission disburse a 
larger amount of funding to fewer Pilot participants to obtain a more 
holistic look at how the support could best be used to protect E-Rate-
funded broadband networks and data, as well as help K-12 schools and 
libraries address cybersecurity issues? Which approach would generate 
the best data to determine whether and how universal service support 
could most effectively be leveraged to help K-12 schools and libraries 
protect their E-Rate-funded broadband networks and data from targeted 
cyberattacks and other cyber threats?
    20. Under its proposals, once selected, Pilot participants will be 
required to submit funding applications for the requested services and 
equipment. To ease administration of the Pilot, the Commission proposes 
that participants be permitted to seek funding for services and 
equipment to be provided over the proposed three-year term in a single 
application and be supported by multi-year contract/agreement(s) for 
this term. The Commission seeks comment on these proposals and 
questions.
    21. The Commission next discuss what types of entities should be 
eligible to participate in the proposed Pilot program. In doing so, the 
Commission notes that the number and type of schools and libraries that 
participate in the E-Rate program vary significantly. Who should be 
eligible to participate in the Pilot program and how should the 
Commission select Pilot participants? How can the Commission ensure 
that it identifies a wide cross-section of Pilot participants to allow 
it to evaluate the effectiveness of providing universal service support 
for K-12 schools' and libraries' cybersecurity needs, and do so in a 
fair and transparent manner? Should the Commission limit eligibility to 
schools and libraries currently participating in the E-Rate program or 
should it expand eligibility to include schools and libraries that do 
not currently participate in the E-Rate program? Should the Commission 
select Pilot participants based on specific objective factors like: E-
Rate category two discount rate levels; location (e.g., urban vs. 
rural); and/or participant size (i.e., small schools, school districts, 
and libraries vs. large schools, school districts, and libraries)? How 
should the Commission define, or what sources should the Commission use 
to define, these factors to ensure they are applied objectively? Are 
any of these factors (i.e., discount rate level, urban vs. rural,

[[Page 90146]]

large vs. small) more or less important than others from an eligibility 
perspective? If yes, why are particular factors more or less important 
than others? Are there other factors the Commission should consider 
when determining who should be eligible to participate in the Pilot and 
how participants should be selected? For example, would the Pilot 
benefit from including schools and libraries that have advanced 
expertise in cybersecurity as participants because they presumably 
would know how to best spend the Pilot funding? Or, should 
cybersecurity expertise not be a factor at all in the selection of 
Pilot participants? How can the Commission ensure that schools and 
libraries that lack funding, expertise, or are otherwise under-
resourced can meaningfully participate in the Pilot? Is there a way to 
compare the cybersecurity performance of Pilot participants against 
non-participants (e.g., through the use of a survey or other data 
collection process) in a way that contrasts the current cybersecurity 
posture of Pilot participants with that of non-participants? To be 
eligible for the Pilot program, should Pilot participants be required 
to demonstrate that they have started taking actions to improve their 
cybersecurity posture by, for example, starting to implement some of 
the DOE and CISA K-12 cybersecurity recommendations or potential 
forthcoming Council guidance or other similar actions? Or conversely, 
should a school or library be required to provide a certification or 
other confirmation that, absent participation in the Pilot, it does not 
have the resources to start implementing CISA's K-12 cybersecurity 
recommendations? The Commission seeks comment on these preliminary 
participant eligibility questions.
    22. In today's broadband-reliant environment, there are a plethora 
of evolving cyber threats and attacks. Should the Commission limit 
schools' and libraries' eligibility to participate in the Pilot program 
to those schools and libraries that have faced or are facing certain 
types of cyber threats or attacks? If so, which cyber threats or 
attacks should qualify a school or library for participation in the 
Pilot program? Are there certain types of cyber threats or attacks that 
schools and libraries most commonly face and are there any emerging 
cyber threats or attacks that have only recently arisen? What types of 
cyber threats or attacks are the most harmful or costly for schools or 
libraries to combat and/or recover from? What difficulties have schools 
and libraries faced when attempting to address cyber threats and 
attacks on their own? The Commission seeks comment on the types of 
cyber threats and attacks encountered by schools and libraries and how 
they should be evaluated, if at all, when selecting Pilot participants.
    23. Past experience also indicates that there may be common cyber 
threats and attacks faced by K-12 schools, school districts, and 
libraries regardless of their particular characteristics (e.g., urban 
vs. rural, and large vs. small). However, the history of attacks also 
indicates that certain K-12 schools and libraries may be more likely 
than others to be targeted by malicious actors due to lack of 
information technology (IT) funding or constrained staff resources. 
When selecting Pilot participants, should the Commission consider an 
applicant's previous history regarding cyber threats or attacks? If 
yes, should the Commission select as Pilot participants schools and 
libraries with greater or fewer cyber incidents? How should the 
Commission define, or what sources should it use to define, a 
``greater'' versus ``fewer'' number of cyber incidents? Should the 
Commission assess ``greater'' or ``fewer'' in absolute terms or 
relative terms? For instance, should a school district with 100,000 
students and school staff that faces 1,000 cyber incidents per year be 
viewed as having more incidents than a school district with 10,000 
students and school staff that faces 900 incidents per year? Or, should 
the latter school district be seen as having more cyber incidents on a 
per-student and school staff member basis? Would the Pilot benefit from 
including both schools and libraries that have never experienced a 
cyber threat or attack, as well as those that have experienced at least 
one cyber threat or attack? In commenters' experience, are there 
certain types of schools or libraries that are more likely to face 
cyber threats or attacks? Are schools or libraries in certain 
geographic or socioeconomic settings more vulnerable than others to 
cyber threats or attacks? What role does lack of IT funding or 
constrained staffing resources play in the likelihood or frequency of 
cyber threats or attacks? When selecting Pilot participants, should 
cybersecurity risk, geographic or socioeconomic factors, staffing 
constraints or financial need, or technical challenges play a role in 
participant selection? The Commission seeks comment on the 
characteristics and circumstances that may result in a school or 
library being more or less likely to be targeted for a cyber threat or 
attack, and the role those characteristics should play in Pilot 
participant selection. Are there ways to ensure that under-resourced 
schools and libraries can meaningfully participate in the Pilot? For 
example, should the Commission direct USAC to provide assistance to 
schools and libraries that are under-resourced and may lack experience 
to assist them throughout the Pilot? The Commission also encourages 
commenters to share any first-hand knowledge they may have regarding 
factors that may increase or decrease the likelihood of a school or 
library being targeted for a cyber threat or attack, and discuss if or 
how that information should be considered in the Pilot participant 
selection process.
    24. Prerequisites. There are a number of free and low-cost 
cybersecurity tools and resources available to K-12 schools and 
libraries. Should the Commission adopt any prerequisites for Pilot 
program participation? For example, should Pilot participants be 
required to take a more active role in improving/enhancing their 
cybersecurity posture? If so, how should this be monitored and 
enforced? For example, should Pilot participants be required to correct 
known security flaws and conduct routine backups as part of this Pilot 
program? Should Pilot participants be required to participate in other 
federal efforts to share cybersecurity information and resources, such 
as the MS-ISAC or the K12 SIX? Should Pilot participants be required to 
implement, or demonstrate how they plan to implement, recommended best 
practices from organizations like the DOE, CISA, and NIST, as they are 
able? Should Pilot participants be required to take steps on their own 
to improve their cybersecurity posture by, for example, designating an 
officer or other senior-level staff member responsible for 
cybersecurity implementation, updates, and oversight, or implementing a 
cybersecurity training program for their staff and network users? The 
Commission seeks comment on these questions.
    25. Should the Commission only include as Pilot participants those 
schools and libraries that have already implemented or are in the 
process of implementing CISA's K-12 cybersecurity recommendations, or 
have otherwise begun the process of implementing a cybersecurity 
framework or program? Are there any schools or libraries that have 
implemented or are in the process of implementing the DOE's or CISA's 
K-12 cybersecurity recommendations or another cybersecurity framework 
or program, to protect their E-Rate-funded networks and data? If so, 
what actions have been the most successful in establishing and 
implementing

[[Page 90147]]

cybersecurity recommendations, or a cybersecurity framework or program? 
The Commission also asks schools and libraries that are already 
implementing or experimenting with CISA's K-12 cybersecurity 
recommendations, or another cybersecurity framework or program, to 
provide us with information about their cybersecurity projects and 
discuss how these actions should influence, if at all, the Pilot 
participant selection process. For schools and libraries that have not 
taken any preventative or mitigating actions, what are the key 
impediments to implementing a more robust cybersecurity posture? If 
cost is the reason that schools or libraries have been unable to 
implement and strengthen their cybersecurity posture, is there other 
federal, state, or local funding available that could be used in place 
of or in addition to universal service funding to help address cyber 
threats and attacks? If other sources of funding are available, should 
schools and libraries be required to seek or already have obtained 
cybersecurity funding commitments from other federal, state, or local 
sources to be eligible to participate in this proposed Pilot program? 
The Commission seek comment on what prerequisites, if any, should be 
adopted to be a Pilot participant.
    26. In the December 2022 Public Notice, the Commission sought 
comment on ``the specific equipment and services that E-Rate should . . 
. fund as advanced or next-generation firewalls and services.'' Nearly 
all commenters who opined on this topic advocated for the eligibility 
of at least next-generation firewalls. Many of these commenters further 
advocated for the eligibility of a range of additional security 
measures, including some or all of: MFA, domain name system (DNS) 
security, distributed denial-of-service (DDoS) protection, and/or VPN. 
On the other hand, a small number of commenters urged the Commission to 
adopt general criteria for eligibility, rather than enumerate specific 
technologies (e.g., firewalls) as eligible, believing that this 
approach would provide E-Rate participants with appropriate flexibility 
in addressing their individualized security needs and ultimately better 
ensure the security of E-Rate-supported networks.
    27. Commenters, however, were opining on security measures that 
would be appropriate for inclusion in the E-Rate program rather than on 
security measures that would be appropriate for inclusion in today's 
proposed Pilot. Therefore, to resolve any ambiguity and further develop 
the record specifically as to the proposed Pilot, the Commission seeks 
further comment on the security measures, including equipment and 
services, that should be made eligible to participants in the Pilot. 
The Commission also seeks comment on whether it should place 
restrictions on the manner or timing of a Pilot participant's purchase 
of security measures. For example, should Pilot funding be limited to a 
participant's one-time purchase of security measures or should the 
support cover the on-going, recurring costs that a Pilot participant 
may incur, for example, in the form of continual service contracts or 
recurring updates to the procured security measures? The Commission 
notes that an appropriate set of eligible measures and the timing for 
the security measures would balance its goal of using the Pilot to 
meaningfully assess the effectiveness of a wide range of different 
security approaches with the need to conserve and efficiently use the 
limited funding available for the Pilot to gain sufficient insight into 
each of those approaches. As a preliminary point, the Commission seeks 
comment on whether it should specify eligibility in terms of general 
criteria rather than as a list of specific technologies. If so, what 
should the eligibility criteria be? For example, should the Commission 
adopts the Schools, Health & Libraries Broadband Coalition's (SHLB 
Coalition) proposed general criteria that would deem any security 
measure eligible as long as it ``keep[s] the network from being shut 
down and . . . protect[s] the privacy of user data'' or would some 
other general criteria be more appropriate? SHLB Coalition's views 
notwithstanding, the Commission believes that specifying an enumerated 
list of eligible security technologies/measures would provide more 
specific, and thus clearer, eligibility guidance to Pilot participants 
than would general eligibility criteria, ultimately leading to a more 
efficient use of the Pilot program's funds. A finite list of allowable 
cybersecurity options would also make comparisons of outcomes more 
tractable across Pilot participants. On the other hand, are there 
concerns that potential evolutions in security measures/technologies 
during the duration of the Pilot would render an enumerated Commission 
list of eligible technologies/measures outdated before the end of the 
Pilot? Are there concerns that limited Pilot funds could be used 
inefficiently, or misused, if the Commission adopts an approach based 
on generalized criteria? Should eligibility be limited to cybersecurity 
measures that are primarily or significantly used to facilitate 
connectivity? How does section 254 limit the kinds of cybersecurity 
solutions that can be purchased, and how they may be deployed, using 
pilot funds? The Commission seeks comment on these issues and more 
generally on the relative advantages and disadvantages of specifying 
eligibility in terms of an enumerated list of security measures/
technologies as compared to general criteria.
    28. If the Commission adopts a list of eligible measures/
technologies, at what granularity should that list be specified? For 
example, should the Commission publish a specific list of security 
measures (similar to the Eligible Services List for the E-Rate 
program), to help participants understand which services and equipment 
are eligible for support through the proposed Pilot program? Should a 
list of resources from MS-ISAC be included in the application, so that 
applicants can easily select desired services from the list, thereby 
simplifying the application process? Moreover, what are the specific 
measures that should be included on that list? The Commission notes 
that a number of commenters opined that new security measures should be 
limited to advanced and next-generation firewalls, in the context of 
discussing the E-Rate program. Are these the most important tools 
schools and libraries could adopt and how does the import of these 
cybersecurity tools compare to other tools identified in the record? 
For example, CISA and the DOE have identified things like MFA, regular 
software and hardware updates, and regular backups as important tools 
for combatting network threats. Do commenters continue to believe that 
focusing funding efforts primarily or exclusively on advanced and next-
generation firewalls is appropriate in the context of today's proposed 
Pilot, which would utilize separate USF funding and aims to evaluate 
the effectiveness of a wide range of security approaches? If the list 
of eligible security measures should be more expansive than advanced 
firewalls in the context of today's Pilot, which other measures should 
be included? For example, should the Commission determine eligible 
measures based on the recommendations from the CISA K-12 Cybersecurity 
Report, the DOE K-12 Digital Infrastructure Briefs, and/or other 
federal partner resources and guides. If so, how?
    29. Moreover, the Commission notes that while nearly all commenters 
advocated for the eligibility of at least advanced or next-generation 
firewalls and services, commenters generally disagree on which features 
an

[[Page 90148]]

``advanced firewall'' service includes. For example, commenters 
variously opined that advanced firewalls should include some or all of: 
intrusion detection and prevention, application-level inspection, anti-
malware and anti-virus protection, VPN, DNS security, DDoS protection, 
and content filtering. If the Commission were to make advanced firewall 
services eligible, how should ``advanced firewall'' be defined for the 
purposes of the proposed Pilot program? Alternatively, given the lack 
of consensus around the scope of these terms, and the import of this 
technology, should the Commission simply make ``firewalls'' eligible 
for the Pilot without regard to whether they are ``basic'' or 
``advanced/next-generation'' as has been suggested to the Commission? 
If the Commission were to adopt a single, updated ``firewalls'' 
definition for purposes of the Pilot that includes advanced or next-
generation firewalls, should the definition encompass intrusion 
detection and prevention, application-level inspection, anti-malware 
and anti-virus protection, VPN, DNS security, DDoS protection, and 
content filtering and/or other measures/technologies? Given the limited 
amount of funding available, which of these measures/technologies 
should the Commission prioritize for inclusion within a broader 
definition of ``firewall'' and for what reasons?
    30. The Commission further proposes to limit Pilot eligibility to 
equipment that is network-based (i.e., that excludes end-user devices, 
including, for example, tablets, smartphones, and laptops) and services 
that are network-based and/or locally installed on end-user devices, 
where the devices are owned or leased by the school or library. To be 
eligible for the Pilot, the Commission further proposes that the 
equipment or services be designed to identify and/or remediate threats 
that could otherwise directly impair or disrupt a school's or library's 
network, including to threats from users accessing the network 
remotely. The Commission notes that this proposed eligibility criteria 
would apply regardless of whether the equipment or services are located 
within a school's or library's classroom or other physical premises. 
The Commission believes that this eligibility criteria, which is not 
restricted to physical premises, would provide schools and libraries 
with the flexibility to cost-effectively procure remotely-located 
equipment and services obviating a potentially costly need to install, 
maintain, and troubleshoot solutions on-site. The Commission also 
believes that this approach is consistent with the way that many modern 
security services are increasingly offered, i.e., as a remotely-located 
or cloud-based, centralized resource accessible via the internet. The 
Commission further believes that limiting eligible services to end-user 
devices owned or leased by a school or library strikes a reasonable 
balance between protecting those entities' networks with the need to 
limit the scope of protections given the limited Pilot funding 
available. The Commission believes that its approach also reflects the 
reality that schools and libraries often already restrict the 
permissions available to third-party-owned devices that connect to 
their networks. The Commission seeks comment on this proposed scope of 
eligibility or any further restrictions, or relaxation of this 
proposal, that would best protect school and library broadband networks 
at a reasonable cost.
    31. As noted, the DOE and CISA K-12 cybersecurity recommendations 
describe a broad range of steps that K-12 entities may utilize to 
address cybersecurity risks, and many of these steps go beyond the 
types of specific firewall and technical technologies/measures that the 
Commission has traditionally deemed eligible for reimbursement within 
the context of the E-Rate program. For example, the DOE and CISA 
recommend that entities develop a mature cybersecurity plan, leverage 
existing free or low-cost cybersecurity services, negotiate for the 
inclusion of certain services with their technology providers, and 
engage in strategic collaboration, information-sharing, and 
relationship-building with other entities. CISA's CPGs similarly 
recommend a broad range of cybersecurity practices, including practices 
related to asset management, organizational cybersecurity leadership 
structure, and reporting processes, that entities may use to reduce 
their cyber risk and help them develop the cybersecurity plan needed to 
implement the NIST Cybersecurity Framework (CSF). These recommendations 
again involve actions that go beyond the traditional measures that the 
Commission has found to be eligible for reimbursement in the E-Rate 
program.
    32. The Commission thus seeks comment on whether it should allow 
participants to use Pilot funds to meet any of the DOE or CISA K-12 
cybersecurity recommendations or CISA CPGs, or otherwise improve/
enhance their cybersecurity posture and, if so, what the appropriate 
restrictions or limitations on the eligibility of such measures should 
be. Does the Commission have legal authority to allow spending on these 
broader DOE and CISA recommendations and CISA CPGs? If so, based on 
which statutory provisions and other sources of authority? 
Alternatively, should Pilot funding be limited to equipment and 
services that can directly protect the E-Rate-funded broadband networks 
and data, as has traditionally been the case within the E-Rate program?
    33. Similarly, does the Commission have legal authority to fund 
broader steps that entities may take to address cybersecurity risks, 
such as through staff or user cybersecurity training, that are 
necessary parts of a K-12 school's or library's cybersecurity plan/
framework as part of this proposed Pilot program? Or should staff and 
user cybersecurity training be treated similarly as the necessary 
resources needed to be able to participate in the Pilot program, 
similar to the necessary resources rule for the E-Rate program? As 
discussed earlier, CISA has provided a number of free and low-cost K-12 
cybersecurity tools and resources, including staff and user 
cybersecurity training in Appendix 1 to its K-12 Cybersecurity Report. 
The Commission seeks comment on these questions and what services and 
equipment should be eligible for support in the Pilot program.
    34. The Commission proposes that Pilot participants comply with the 
new proposed rules, that largely reflect and mirror its existing E-Rate 
rules, including by requiring competitive bidding, prohibiting gifts, 
and requiring that a participant pay its non-discounted portion of the 
costs of the supported services. The Commission believes that this 
approach is appropriate given the structural similarities of E-Rate and 
the Pilot, which is designed to study the expansion of equipment and 
services supported by E-Rate program. The Commission believes that the 
Pilot rules are likely to be effective for the same reason that the E-
Rate rules, which have been developed and refined by it over many 
years, have proven to be effective. The Commission further believes 
that by modeling today's proposed rules on the existing E-Rate rules, 
it would ease compliance burdens for Pilot participants who are likely 
already familiar with, and have appropriate compliance measures in 
place to address, existing E-Rate program requirements. The Commission 
seeks comment on today's proposed rules and these preliminary 
conclusions.
    35. While today's proposed rules would mirror in most respects the 
Commission's E-Rate rules, it proposes some deviations from those 
rules. For

[[Page 90149]]

example, the Commission proposes to adopt several rules from the ECF 
program that are not included in the E-Rate rules. First, the 
Commission proposes to use the shorter timeframe for appealing a 
decision by USAC or requesting a waiver of the Commission's rules. 
Second, the Commission proposes that invoices must also be submitted 
along with the request for reimbursement, as required in the ECF 
program. The Commission believes that these two deviations from the E-
Rate rules will work better for the Pilot program as it is a short-term 
program, similar to the ECF program. The Commission seeks comment on 
these proposals. The Commission also seeks comment on whether any of 
today's proposed rules should not be adopted, or adopted in a different 
form than proposed for logical, policy, administrative, or other 
reasons. For example, should the Commission allow Pilot participants to 
select the invoicing mode, as is required in the E-Rate rules? Or 
should the service provider be required to affirmatively agree to 
invoice on behalf of the Pilot participant as required in the ECF 
rules? The Commission tentatively concludes that it should allow Pilot 
participants to determine which invoicing mode will be used and the 
Commission seeks comment on these questions and tentative conclusion. 
In providing comments, the Commission requests that commenters provide 
specific cites to relevant provisions of the proposed rules and, if 
instructive, the E-Rate rules. The Commission also requests that 
commenters describe any proposed rule modifications in detail. The 
Commission also seeks comment on whether it should promulgate any 
additional new rules, specific to the Pilot program. For example, what 
rules might the Commission adopt to ensure the collection of data that 
will aid it in evaluating the effectiveness of various cybersecurity 
approaches via the Pilot and an application filing window for the 
selection of Pilot participants?
    36. The Commission also proposes to create a standardized set of 
forms for the Pilot as it believes this will both increase 
administrative efficiency and reduce burdens for the Pilot 
participants. The Commission's proposals is informed by its significant 
experience creating and employing standardized forms in a number of USF 
programs, including E-Rate, ECF, and the Connected Care Pilot Program. 
The Commission seeks comment on whether its objectives of 
administrative efficiency and minimizing Pilot participant burdens 
would best be met if the Commission leverages the forms used in its 
other USF programs as a starting point for creating forms for the 
Pilot. Based on its experience with E-Rate and ECF, in particular, the 
Commission proposes to create new forms for the Pilot participants that 
mirror the E-Rate FCC Form 470: Description of Services Requested and 
Certification Form; E-Rate/ECF FCC Form 471: Description of Services 
Ordered and Certification Form; E-Rate/ECF FCC Form 472: Billed Entity 
Applicant Reimbursement (BEAR) Form; and the E-Rate/ECF FCC Form 474: 
Service Provider Invoice (SPI) Form. The new Pilot forms would thus 
allow participants to: (i) request Pilot-eligible services and 
equipment and open the competitive bidding process among vendors of 
these services and equipment; (ii) describe services and equipment the 
participant ordered after competitive bidding and request applicable 
discounts on the services and equipment; (iii) request reimbursement 
from USAC for the discounted costs of eligible services and equipment 
that have been approved by USAC and for which the applicant has 
received and paid for in full (i.e., BEAR invoicing); and (iv) request 
reimbursement from USAC for the discounted costs of eligible services 
and equipment that have been approved by USAC for which the applicant 
has received and paid the non-discounted portion to the service 
provider (i.e., SPI invoicing), respectively. The Commission seeks 
comment on its proposals to use these forms for the Pilot. The 
Commission further proposes to create a new Pilot participant 
application form (Form 484) that will collect the data proposed in 
paragraph 27 of the NPRM. The Commission will still leverage the data 
available in the E-Rate Productivity Center (EPC) and the ECF Portal to 
streamline the application process by auto-populating with Pilot 
applicant data that is already available through the E-Rate and ECF 
online systems. The Commission seeks comment on this proposal.
    37. The Commission also seeks comment on whether any other new 
forms, processes, and software systems are needed or would be 
beneficial for the Pilot and on how these should be structured. For 
example, can the Commission leverage existing E-Rate or ECF forms, 
processes, and software systems for the disbursement of funding in the 
Pilot program? Additionally, can the Pilot incorporate the existing E-
Rate or ECF processes and software systems for seeking bids, requesting 
funding, and requesting disbursements/invoicing? What challenges or 
obstacles to using existing E-Rate or ECF forms, processes, and 
software systems exist, if any, and how can the Commission address them 
in the Pilot? Can the Pilot leverage existing E-Rate or ECF invoicing 
procedures, including the program's associated deadlines for submitting 
invoices, and what modifications, if any, should be made to these 
deadlines to better reflect the structure of today's Pilot program as 
compared to the E-Rate or ECF programs? For example, how should the 
Commission define and implement a service delivery date for the Pilot 
program given its limited three-year duration? The Commission seeks 
detailed comment on these questions.
    38. The Commission also seeks comment on steps the Commission can 
take to protect the program integrity of the Pilot and its limited USF 
funds. Should the Commission apply the E-Rate and/or ECF program 
integrity rules to the Pilot and, if so, what modifications, if any, 
should the Commission make to those rules? The Commission proposes 
similar program integrity protections, for example, document retention 
requirements, audits, site visits, and other methods of review in the 
Pilot program. The Commission seeks comment on these proposals and 
questions. To further protect program integrity, the Commission also 
proposes that that it apply its existing USF suspension and debarment 
rules to the Pilot. The Commission additionally notes that it is 
considering whether to update its suspension and debarment rules to 
provide it with broader and more flexible authority to promptly remove 
bad actors from participating in USF and other programs in a separate, 
pending proceeding. To the extent that this proceeding is resolved and 
results in final rules prior to or during the duration of the Pilot 
program, the Commission proposes to apply the updated rules to the 
Pilot program. The Commission believes that the steps outlined here 
would strike an appropriate balance between encouraging active 
participation in the Pilot by various schools and libraries and 
protecting the program integrity of the Pilot and its limited funds. 
The Commission seeks comment on its proposals, including the 
sufficiency of its legal authority to take its proposed actions, and 
any additional or alternative steps the Commission should take to 
safeguard the integrity of the proposed Pilot.
    39. These proposals would create a Pilot that allows participants 
to receive universal service support for

[[Page 90150]]

cybersecurity and advanced firewall services, an expansion of the basic 
firewall services currently allowed in the E-Rate program. In the 
December 2022 Public Notice, the Commission sought comment on whether 
it had sufficient legal authority for funding advanced firewall 
services, including pursuant to sections 254(c)(1), (c)(3), (h)(1)(B), 
and (h)(2) of the Communications Act, and any other legal issues or 
concerns it should consider based on the proposals. All commenters who 
opined agreed that the Commission had sufficient legal authority to 
fund advanced firewall equipment and services. The record thus 
indicates that it has sufficient legal authority for today's proposed 
Pilot. The Commission seeks comment on this view and on the other 
aspects of legal authority raised below.
    40. As a preliminary matter, the record to date supports 
commenters' views that today's Pilot, which would use USF funding to 
support the provision of cybersecurity and advanced firewall services 
to participating schools and libraries, is consistent with Congress's 
view that the USF represents an evolving level of service. The 
Commission finds it likely that the results of the Pilot would inform 
potential future actions that it takes to further its obligation to 
``establish periodically'' universal service rules that ``tak[e] into 
account advances in telecommunications and information technologies and 
services.'' The utility and necessity of the proposed new services, 
including cybersecurity and advanced firewall services, reflects 
ongoing advances in networks and the associated threats that schools' 
and libraries' broadband networks face today compared to in years past. 
The Commission seeks comments on these views.
    41. The record supports commenters' view that the Commission has 
legal basis for today's proposed Pilot pursuant to section 254(h)(2)(A) 
of the Communications Act ``to enhance, to the extent technically 
feasible and economically reasonable, access to advanced 
telecommunications and information services for all public and 
nonprofit elementary and secondary school classrooms . . . and 
libraries . . .'' based on two distinct views. First, the proposed 
Pilot could make a number of new services, including, for example, 
advanced and next-generation firewalls, VPNs, intrusion detection and 
prevention protection, DNS security, and/or DDoS protection, directly 
available to participants. Each of these services is itself an 
``advanced telecommunications'' and/or ``information service'' as each 
filters the information permitted to influence and affect participants' 
telecommunications networks. Second, the proposed new services would 
remediate many common types of cyber threats that would otherwise 
dimmish the ability of schools and libraries to use their existing 
``advanced telecommunications and information services'' (e.g., the 
internet), thereby meaningfully ``enhanc[ing]'' their access to the 
existing services. The Commission seeks comment on these two views. For 
example, according to the first view, to what extent are the services 
included in today's pilot proposal themselves ``advanced 
telecommunications and information services'' within the meaning of 
section 254(h)(2) of the Communications Act?
    42. In addition, the Commission believes that by taking steps to 
deter harm to a school or library network when it is accessed remotely 
on end-user devices that are owned or leased by the school or library, 
it is necessarily also ensuring that the same network would remain 
functional when accessed from within a traditional school classroom or 
a library's physical premises. This reflects the fact that students can 
access school networks before or after school hours to complete 
homework and other assignments, which often occurs from the home or 
another location outside of the school premises. The Commission seeks 
comment on these views, generally on its legal authority for today's 
proposals and on the physical spaces that qualify for eligible 
equipment and services, whether based on legal authority considerations 
or other practical concerns.
    43. The Commission further believes that today's Pilot is 
``technically feasible and economically reasonable'' as required by 
section 254(h)(2)(A) of the Communications Act. While the Commission 
has previously expressed a view, as recently as 2019, that any 
expansion of cybersecurity services beyond basic firewall services may 
be cost-prohibitive to the E-Rate program, the Commission seeks comment 
on whether changed circumstances in the years since that determination 
(and earlier Commission determinations) warrant today's proposed Pilot. 
As discussed, the COVID-19 pandemic changed the extent to which K-12 
schools and libraries utilize their networks to deliver quality 
education and learning materials off-premises to students and patrons. 
Moreover, since 2021, Congress, CISA, GAO, and other federal agencies 
have effectuated legislation or taken other actions to study how the 
number and variety of cyberthreats facing K-12 schools and libraries 
continues to evolve. The Commission believes that today's Pilot 
reflects these actions by seeking to better understand the nature of 
current cyber threats faced by K-12 schools and libraries participating 
in the E-Rate program. Moreover, the Commission has designed the Pilot 
to limit USF expenditures until the nature of any significant threats 
are understood based on the Pilot's results in several ways. One, the 
costs of today's proposals would fall entirely within a time-limited, 
three-year USF-supported Pilot program, and not would not draw from the 
budget for the E-Rate program. Two, the costs would be mitigated 
because the Commission proposes that the participants be required to 
leverage other free and low-cost K-12 cybersecurity tools and services 
as part of their cybersecurity action plans. The Commission expects to 
obtain results from the Pilot that will enable us to make informed 
long-term decisions on whether any of the equipment and services 
studied in the program would be cost-effective to include in E-Rate, 
should it address that matter through subsequent Commission action. The 
Commission expects these steps will lead to lower USF costs as the 
burden for K-12 cybersecurity protection will not be borne solely by 
the E-Rate program or other universal service program funding. The 
Commission seeks comment on these views.
    44. The record also supports commenters' view that the Commission 
has an additional legal basis for structuring the Pilot program as 
proposed today pursuant to section 254(c)(3) of the Communications Act. 
This section grants the Commission authority to ``designate additional 
services for [USF] support . . . for schools [and] libraries.'' The 
Commission's proposed Pilot is consistent with this authority, the 
record indicates, as the Pilot would allow for the designation of 
additional services that may be used by participating schools and 
libraries based on USF funding. Moreover, the results of the proposed 
Pilot program could be used by the Commission to inform potential 
further actions to facilitate the availability of these services to 
schools and libraries based on the USF. The Commission seeks comment on 
these preliminary conclusions.
    45. Other Legal Bases and Considerations. The Commission seeks 
comment on the extent to which the cybersecurity and advanced firewall 
services made available through its proposed Pilot fulfill its mandate 
to

[[Page 90151]]

make ``[q]uality services'' available at just, reasonable, and 
affordable rates. Does ensuring that E-Rate-funded networks are able to 
implement strong and up-to-date cybersecurity measures, through the 
services funded through this Pilot program, further this statutory goal 
and, if so, how does ensuring the protection and privacy of school and 
library networks contribute to the provision of ``[q]uality services''?
    46. The record to date indicates that the statutory bases 
identified, taken collectively or individually, provide sufficient 
authority for the Commission's proposals. The Commission seeks comment 
on this view. The Commission also seeks comment on any other sources of 
legal authority, or constraints on such authority, that could bear on 
or otherwise impact today's proposals. For example, does the Commission 
have bases for its proposals based on its authority to set discounted 
rates for certain services provided to schools and libraries pursuant 
to section 254(h)(1)(B) of the Communications Act? Relatedly, do the 
services made eligible in today's Pilot fall within the scope of 
services that telecommunications carriers can be required to provide 
pursuant to this statute?
    47. Limits and Restrictions. The Commission further seeks comment 
on any other limits and restrictions that it should place on recipients 
of Pilot funds to remain within the statutory authority identified and 
on any other legal requirements that apply to its implementation of the 
proposed Pilot program. For example, should recipients of Pilot funds 
be barred from selling, reselling, or otherwise transferring the 
services that they receive using funds provided for by the Pilot 
program? The Commission proposes to apply the Secure and Trusted 
Communications Networks Act of 2021 to Pilot participants by 
prohibiting these participants from using any funding obtained through 
the program to purchase, rent, lease, or otherwise obtain any of the 
equipment or services on the Commission's Covered List or to maintain 
any of the equipment or services on the Covered List that was 
previously purchased, rented, leased, or otherwise obtained. The 
Commission seeks comment on this proposal and on whether there are any 
other restrictions or requirements that it should place on recipients 
of Pilot funds based on the Secure Networks Act and/or other related 
concerns related to supply chain security. Should Pilot participants be 
required to refund the USF any unused money, including if they withdraw 
from the Pilot program?
    48. The Children's Internet Protection Act. The Commission also 
seeks comment on the applicability of the Children's Internet 
Protection Act (CIPA) to the Pilot program and USF-funded cybersecurity 
and advanced firewall services for schools and libraries. Congress 
enacted CIPA to protect children from exposure to harmful material 
while accessing the Internet from a school or library. In enacting 
CIPA, Congress was particularly concerned with protecting children from 
exposure to material that was obscene, child pornography, or otherwise 
inappropriate for minors (i.e., harmful content). CIPA prohibits 
certain schools and libraries from receiving funding under section 
254(h)(1)(B) of the Communications Act for internet access, internet 
service, or internal connections, unless they comply with specific 
internet safety requirements. Specifically, CIPA applies to schools and 
libraries ``having computers with internet access,'' and requires each 
such school or library to certify that it is enforcing a policy of 
internet safety that includes the operation of a technology protection 
measure ``with respect to any of its computers with internet access.'' 
Schools, but not libraries, must also monitor the online activities of 
minors and provide education about appropriate online behavior, 
including warnings against cyberbullying.
    49. In the Emergency Connectivity Fund Report and Order, 86 FR 
29136, May 28, 2021, the Commission found that receipt of ECF- or E-
Rate-funds for recurring internet access, internet services, or 
internal connections (if any) triggers CIPA compliance when used with 
any school- or library-owned computer, even if used off-premises. On 
the other hand, the Commission determined that CIPA does not apply to 
the use of any third-party-owned device, even if that device is 
connecting to a school's or library's E-Rate- or ECF-funded internet 
access or internet service. The Commission seeks comment on what impact 
its interpretation of CIPA in the Emergency Connectivity Fund Report 
and Order has on the Pilot or USF-funded cybersecurity and advanced 
firewall services.
    50. At the time of CIPA's enactment, schools and libraries 
primarily owned one or two stationary computer terminals that were used 
solely on-premises. Today, it is commonplace for students, school 
staff, and library patrons to carry internet-enabled devices onto 
school or library premises and for schools and libraries to allow 
third-party-owned devices access to their internet and broadband 
networks. The Commission invites comment on the scope of its authority 
to impose CIPA requirements on third-party devices that may connect 
with school- or library-owned broadband networks as part of this Pilot 
program or school- and library-owned broadband networks funded with USF 
support, and whether the imposition of such requirements would be 
appropriate. Similarly, the Commission invites comment on whether the 
requirements of CIPA should apply to USF-funded cybersecurity and 
advanced firewall services (e.g., cybersecurity software) if placed on 
third-party owned devices that connect to a school- or library-owned 
broadband network.
    51. Finally, the Commission acknowledges there are privacy concerns 
related to certain CIPA requirements, particularly as it relates to 
students' and library patrons' data that is often subject to various 
federal and/or state privacy laws. The Commission seeks comment on 
these privacy issues and any privacy concerns commenters may have about 
the application of CIPA to this Pilot program or USF-funded 
cybersecurity and advanced firewall services for schools and libraries.
    52. The Commission, as part of its continuing effort to advance 
digital equity for all, including people of color, persons with 
disabilities, persons who live in rural or Tribal areas, and others who 
are or have been historically underserved, marginalized, or adversely 
affected by persistent poverty or inequality, invites comment on any 
equity-related considerations and benefits (if any) that may be 
associated with the proposals and issues discussed herein. 
Specifically, the Commission seeks comment on how its proposals may 
promote or inhibit advances in diversity, equity, inclusion, and 
accessibility, as well the scope of its relevant legal authority.

III. Procedural Matters

    53. Regulatory Flexibility Act. As required by the Regulatory 
Flexibility Act of 1980, as amended (RFA), the Commission has prepared 
this Initial Regulatory Flexibility Analysis (IRFA) of the possible 
significant economic impact on a substantial number of small entities 
by the policies and rules proposed in the Schools and Libraries 
Cybersecurity Pilot Program, Notice of Proposed Rulemaking (NPRM). 
Written public comments are requested on this IRFA. Comments must be 
identified as responses to the IRFA and must be filed by the deadlines 
for comments in the NPRM. The Commission will send a copy of the NPRM, 
including this IRFA,

[[Page 90152]]

to the Chief Counsel for Advocacy of the Small Business Administration 
(SBA).
    54. In the NPRM, the Commission proposes a Schools and Libraries 
Cybersecurity Pilot Program (Pilot) that will assist us in obtaining 
valuable data to satisfy the requirements to support cybersecurity and 
advanced firewall services for eligible schools and libraries. The 
Commission seeks comment on what role the federal Universal Service 
Fund (USF) could play in helping K-12 schools and libraries protect 
their E-Rate-funded broadband networks and data, and improve their 
ability to defend against the cyber threats and attacks that have 
increasingly been targeting K-12 schools and libraries, and their 
students' and patrons' data. The Commission expects that the data 
gathered from the Pilot will help us understand whether and how USF 
funds could best be leveraged to help address the K-12 cybersecurity 
challenges, and the data and information collected through this Pilot 
may also aid in the consideration of broader reforms--whether statutory 
changes or updates to rules--that could support helping schools and 
libraries address the significant K-12 cybersecurity concerns that 
impact them.
    55. First, the Commission proposes three goals for the proposed 
Pilot and that the Pilot be for a three-year term with a budget of $200 
million. These include: (1) improving the security and protection of E-
Rate-funded broadband networks and user data; (2) measuring the costs 
associated with cybersecurity and advanced firewall services, and the 
amount of funding needed to adequately meet the demand for these 
services if extended to all E-Rate participants; and (3) evaluating how 
to leverage other federal K-12 cybersecurity tools and resources to 
help schools and libraries effectively address their cybersecurity-
related needs. Second, the Commission proposes that interested K-12 
schools and libraries apply to be Pilot participants by submitting an 
application containing information about how they would use the Pilot 
funds and providing information about their proposed cybersecurity and 
advanced firewall projects. The Commission also seeks comment on the 
application process and the objective criteria for selecting 
participants among the applications it receives for the Pilot. In 
addition, the Commission proposes that Pilot participants be permitted 
to seek funding for services and equipment to be provided over the 
proposed three-year term. The Commission further proposes that Pilot 
participants submit a single application with their funding requests 
that will be relied on for the proposed three-year term of the Pilot 
and be supported by multi-year contract(s)/agreement(s) for this term. 
The Commission also seeks comment on the extent to which E-Rate or ECF 
program processes, rules, and forms could be leveraged and adopted to 
apply to the proposed Pilot, including, for example, competitive 
bidding, funding disbursement, invoicing, document retention, and 
auditing processes, rules, and forms. Finally, the Commission seeks 
comment on its legal authority to establish the proposed Pilot and the 
applicability of the Children's Internet Protection Act (CIPA) to the 
proposed Pilot. The Commissions believe that, through the Pilot, it 
will be able to fund a range of diverse cybersecurity projects for K-12 
schools and libraries throughout the country.
    56. The proposed actions are authorized pursuant to sections 1 
through 4, 201 through 202, 254, 303(r), and 403 of the Communications 
Act of 1934, as amended, 47 U.S.C. 151 through 154, 201 through 202, 
254, 303(r), and 403.
    57. The RFA directs agencies to provide a description of and, where 
feasible, an estimate of the number of small entities that may be 
affected by the proposed rules, if adopted. The RFA generally defines 
the term ``small entity'' as having the same meaning as the terms 
``small business,'' ``small organization,'' and ``small governmental 
jurisdiction.'' In addition, the term ``small business'' has the same 
meaning as the term ``small business concern'' under the Small Business 
Act. A small business concern is one that: (1) is independently owned 
and operated; (2) is not dominant in its field of operation; and (3) 
satisfies any additional criteria established by the Small Business 
Administration (SBA).
    58. Small Businesses, Small Organizations, Small Governmental 
Jurisdictions. The Commission's actions, over time, may affect small 
entities that are not easily categorized at present. The Commission 
therefore describes, at the outset, three broad groups of small 
entities that could be directly affected herein. First, while there are 
industry specific size standards for small businesses that are used in 
the regulatory flexibility analysis, according to data from the Small 
Business Administration's (SBA) Office of Advocacy, in general a small 
business is an independent business having fewer than 500 employees. 
These types of small businesses represent 99.9% of all businesses in 
the United States, which translates to 33.2 million businesses.
    59. Next, the type of small entity described as a ``small 
organization'' is generally ``any not-for-profit enterprise which is 
independently owned and operated and is not dominant in its field.'' 
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 
or less to delineate its annual electronic filing requirements for 
small exempt organizations. Nationwide, for tax year 2020, there were 
approximately 447,689 small exempt organizations in the U.S. reporting 
revenues of $50,000 or less according to the registration and tax data 
for exempt organizations available from the IRS.
    60. Finally, the small entity described as a ``small governmental 
jurisdiction'' is defined generally as ``governments of cities, 
counties, towns, townships, villages, school districts, or special 
districts, with a population of less than fifty thousand.'' U.S. Census 
Bureau data from the 2017 Census of Governments indicate there were 
90,075 local governmental jurisdictions consisting of general purpose 
governments and special purpose governments in the United States. Of 
this number, there were 36,931 general purpose governments (county, 
municipal, and town or township) with populations of less than 50,000 
and 12,040 special purpose governments--independent school districts 
with enrollment populations of less than 50,000. Accordingly, based on 
the 2017 U.S. Census of Governments data, the Commission estimates that 
at least 48,971 entities fall into the category of ``small governmental 
jurisdictions.''
    61. Small entities potentially affected by the rules herein include 
Schools, Libraries, Telecommunications Resellers, Local Resellers, 
Wired Telecommunications Carriers, All Other Telecommunications, 
Wireless Telecommunications Carriers (except Satellite), Wireless 
Carriers and Service Providers, Wired Broadband Internet Access Service 
Providers (Wired ISPs), Wireless Broadband Internet Access Service 
Providers (Wireless ISPs or WISPs), Internet Service Providers (Non-
Broadband), Vendors of Infrastructure Development or Network Buildout, 
Telephone Apparatus Manufacturing, Custom Computer Programming 
Services, Other Computer Related Services (Except Information 
Technology Value Added Resellers), Information Technology Value Added 
Resellers, Software Publishers.
    62. In the NPRM, the Commission seeks comment on a proposed Pilot 
with a $200 million budget and three-year duration, that would provide 
support for cybersecurity and advanced firewall

[[Page 90153]]

services for eligible K-12 schools and libraries.
    63. To participate in the Pilot, the NPRM proposes that interested 
K-12 schools and libraries apply by submitting an application 
containing information about how they would use the Pilot funds and 
providing information about their proposed cybersecurity and advanced 
firewall projects. All eligible schools and libraries that choose to 
participate may be required to collect and submit data as part of the 
application process, at regular intervals during the Pilot program and 
at the end of the Pilot, to the Universal Service Administrative 
Company (USAC) and the Commission. The collection of this information, 
which may go beyond that provided in FCC Forms 470 and 471, is 
necessary to evaluate the impact of the Pilot, including whether the 
Pilot achieves its goals. This includes the proposed evaluation 
process, with annual and final progress reports detailing use of funds 
and effectiveness of the program. It is expected that the benefits of 
collecting this information will outweigh any potential costs.
    64. Application requirements will necessitate that small entities 
make an assessment of their cybersecurity posture and services needed 
to address risks, which may require additional staff and/or staff with 
related expertise. The proposal to incorporate the existing E-Rate 
forms, processes, and software systems for seeking bids, requesting 
funding, and requesting disbursement/invoicing into the proposed Pilot 
may decrease the burden on small entities that are already familiar 
with these requirements. This may result in proposals from small 
entities that lessen the economic impact of the Pilot and increase 
their participation. In contrast, additional protections proposed in 
the NPRM, such as, document retention requirements, audits, site 
visits, and other methods of review in the Pilot, may require small 
entities to incur additional operational costs.
    65. The NPRM also proposes that participants be permitted to seek 
funding for services and equipment to be provided over the proposed 
three-year term and be supported by multi-year contract(s)/agreement(s) 
for this term. The NPRM also considers whether to adopt prerequisites 
for Pilot participants, some of which may require small entities to 
acquire additional software, equipment, or staffing. For example, the 
NPRM seeks comment on whether Pilot participants should be limited to 
those schools and libraries that have already implemented or are in the 
process of implementing CISA's K-12 cybersecurity or other 
cybersecurity recommendations.
    66. In assessing the cost of compliance for small entities, at this 
time the Commission cannot quantify the cost of compliance with any of 
the proposals that may be adopted. Further, the Commission is not in a 
position to determine whether, if adopted, the proposals and matters 
upon which the NPRM seeks comment will require small entities to hire 
professionals to comply. However, consistent with its objectives to 
leverage and adopt existing E-Rate processes and procedures, the 
Commission does not anticipate that small entities will be required to 
hire professionals to comply with any proposals the Commission adopt. 
The Commission expects the information it receives in comments, 
including, where requested, cost information, will help it and evaluate 
relevant compliance matters for small entities, including compliance 
costs and other burdens that may result from potential changes 
discussed in the NPRM.
    67. The RFA requires an agency to describe any significant, 
specifically small business, alternatives that it has considered in 
reaching its proposed approach, which may include the following four 
alternatives (among others): ``(1) the establishment of differing 
compliance or reporting requirements or timetables that take into 
account the resources available to small entities; (2) the 
clarification, consolidation, or simplification of compliance and 
reporting requirements under the rule for such small entities; (3) the 
use of performance rather than design standards; and (4) an exemption 
from coverage of the rule, or any part thereof, for such small 
entities.''
    68. The NPRM considers a number of alternatives which the 
Commission expects may have a beneficial impact on small entities. For 
example, allowing additional ramp-up time so that participants may 
prepare for the Pilot could benefit small entities that would need more 
time to implement cybersecurity measures. The funding proposals, 
including whether to distribute evenly over the three-year period and 
establishing funding caps, may impact the resources of small entities 
that would require flexibility to implement the Pilot program. Small 
entities may benefit from the NPRM's proposal to certify they do not 
have the resources to implement CISA's K-12 cybersecurity 
recommendations, as opposed to demonstrating that they have implemented 
those or similar actions. The NPRM proposes an application process that 
would encourage a wide variety of eligible schools and libraries to 
participate, including small entities. The Commission seeks to strike a 
balance between requiring applicants to submit enough information that 
would allow us to select high-quality, cost-effective projects that 
would best further the goals of the Pilot program, but also minimize 
the administrative burdens on small entities that seek to apply and 
participate in the Pilot.
    69. The Commission does not expect the requirements for the 
proposed Pilot to have a significant economic impact on eligible K-12 
schools and libraries for several reasons. The Commission expects to 
leverage and adopt existing E-Rate processes and procedures and also 
note that schools and libraries have the choice of whether to 
participate in the Pilot. The Bureau will also consider whether the 
proposed projects will promote entrepreneurs and other small businesses 
in the provision and ownership of telecommunications and information 
services, consistent with section 257 of the Communications Act, 
including those that may be socially and economically disadvantaged 
businesses.
    70. The Commission expects the information received in the comments 
to allow it to more fully consider ways to minimize the economic impact 
on small entities and explore additional alternatives to improve and 
simplify opportunities for small entities to participate in the Pilot.
    71. Federal Rules that May Duplicate, Overlap, or Conflict with the 
Proposed Rules. None.
    72. Paperwork Reduction Act. This document contains proposed new or 
modified information collection requirements. The Commission, as part 
of its continuing effort to reduce paperwork burdens, invites the 
general public and the Office of Management and Budget (OMB) to comment 
on the information collection requirements contained in this document, 
as required by the Paperwork Reduction Act of 1995 (PRA), Public Law 
104-13. In addition, pursuant to the Small Business Paperwork Relief 
Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), the 
Commission seeks specific comment on how it might further reduce the 
information collection burden for small business concerns with fewer 
than 25 employees.
    73. Ex Parte Rules--Permit but Disclose. Pursuant to section 
1.1200(a) of the Commission's rules, the NPRM shall be treated as a 
``permit-but-disclose'' proceeding in accordance with the Commission's 
ex parte rules. Persons making ex parte presentations must file a copy 
of any written presentation or a memorandum

[[Page 90154]]

summarizing any oral presentation within two business days after the 
presentation (unless a different deadline applicable to the Sunshine 
period applies). Persons making oral ex parte presentations are 
reminded that memoranda summarizing the presentation must (1) list all 
persons attending or otherwise participating in the meeting at which 
the ex parte presentation was made, and (2) summarize all data 
presented and arguments made during the presentation. If the 
presentation consisted in whole or in part of the presentation of data 
or arguments already reflected in the presenter's written comments, 
memoranda, or other filings in the proceeding, the presenter may 
provide citations to such data or arguments in his or her prior 
comments, memoranda, or other filings (specifying the relevant page 
and/or paragraph numbers where such data or arguments can be found) in 
lieu of summarizing them in the memorandum. Documents shown or given to 
Commission staff during ex parte meetings are deemed to be written ex 
parte presentations and must be filed consistent with rule 1.1206(b). 
In proceedings governed by rule 1.49(f) or for which the Commission has 
made available a method of electronic filing, written ex parte 
presentations and memoranda summarizing oral ex parte presentations, 
and all attachments thereto, must be filed through the electronic 
comment filing system available for that proceeding, and must be filed 
in their native format (e.g., .doc, .xml, .ppt, searchable.pdf). 
Participants in this proceeding should familiarize themselves with the 
Commission's ex parte rules.
    74. Providing Accountability Through Transparency Act. Consistent 
with the Providing Accountability Through Transparency Act, Public Law 
118-9, a summary of this document will be available on https://www.fcc.gov/proposed-rulemakings.

IV. Ordering Clauses

    75. Accordingly, it is ordered that, pursuant to the authority 
found in sections 1 through 4, 201 through 202, 254, 303(r), and 403 of 
the Communications Act of 1934, as amended, 47 U.S.C. 151 through 154, 
201 through 202, 254, 303(r), and 403, this Notice of Proposed 
Rulemaking is adopted.
    76. It is further ordered that the Commission's Office of the 
Secretary, Reference Information Center, shall send a copy of this 
Notice of Proposed Rulemaking, including the Initial Regulatory 
Flexibility Analysis, to the Chief Counsel for Advocacy of the Small 
Business Administration.

List of Subjects in 47 CFR Part 54

    Communications common carriers, Cybersecurity, Internet, Libraries, 
Reporting and recordkeeping requirements, Schools, Telecommunications, 
Telephone.

Federal Communications Commission.
Marlene Dortch,
Secretary.

Proposed Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission proposes to amend part 54 of title 47 of the 
Code of Federal Regulations as follows:

PART 54--UNIVERSAL SERVICE

0
1. The authority citation for part 54 continues to read as follows:

    Authority:  47 U.S.C. 151, 154(i), 155, 201, 205, 214, 219, 220, 
229, 254, 303(r), 403, 1004, 1302, 1601-1609, and 1752, unless 
otherwise noted.

0
2. Add subpart T to part 54 to read as follows:

Subpart T--Schools and Libraries Cybersecurity Pilot Program

Secs.
54.2000 Terms and Definitions.
54.2001 Budget and Duration.
54.2002 Eligible Recipients.
54.2003 Eligible Services and Equipment.
54.2004 Application for Selection in the Pilot Program.
54.2005 Competitive Bidding Requirements.
54.2006 Requests for Funding.
54.2007 Discounts.
54.2008 Requests for Reimbursement.
54.2009 Audits, Inspections, and Investigations.
54.2010 Records Retention and Production.
54.2011 Administrator of the Schools and Libraries Cybersecurity 
Pilot Program.
54.2012 Appeal and waiver requests.


Sec.  54.2000  Terms and Definitions.

    Administrator. The term ``Administrator'' means the Universal 
Service Administrative Company.
    Billed Entity. A ``billed entity'' is the entity that remits 
payment to service providers for services rendered to eligible schools, 
libraries, or consortia of eligible schools and libraries.
    Commission. The term ``Commission'' means the Federal 
Communications Commission.
    Connected device. The term ``connected device'' means a laptop or 
desktop computer, or a tablet.
    Consortium. A ``consortium'' is any local, Tribal, statewide, 
regional, or interstate cooperative association of schools and/or 
libraries eligible for Schools and Libraries Cybersecurity Pilot 
Program support that seeks competitive bids for eligible services or 
funding for eligible services on behalf of some or all of its members. 
A consortium may also include health care providers eligible under 
subpart G of this part, and public sector (governmental) entities, 
including, but not limited to, state colleges and state universities, 
state educational broadcasters, counties, and municipalities, although 
such entities are not eligible for support.
    Cyber incident. An occurrence that actually or potentially results 
in adverse consequences to (adverse effects on) (poses a threat to) an 
information system or the information that the system processes, 
stores, or transmits and that may require a response action to mitigate 
the consequences.
    Cyber threat. A circumstance or event that has or indicates the 
potential to exploit vulnerabilities and to adversely impact (create 
adverse consequences for) organizational operations, organizational 
assets (including information and information systems), individuals, 
other organizations, or society.
    Cyberattack. An attempt to gain unauthorized access to system 
services, resources, or information, or an attempt to compromise system 
integrity.
    Doxing. The act of compiling or publishing personal information 
about an individual on the internet, typically with malicious intent.
    Educational Purposes. For purposes of this subpart, activities that 
are integral, immediate, and proximate to the education of students, or 
in the case of libraries, integral, immediate and proximate to the 
provision of library services to library patrons, qualify as 
``educational purposes.''
    Elementary School. An ``elementary school'' means an elementary 
school as defined in 20 U.S.C. 7801(18), a non-profit institutional day 
or residential school, including a public elementary charter school, 
that provides elementary education, as determined under state law.
    Library. A ``library includes:
    (1) A public library;
    (2) A public elementary school or secondary school library;
    (3) A Tribal library;
    (4) An academic library;
    (5) A research library, which for the purpose of this section means 
a library that:
    (i) Makes publicly available library services and materials 
suitable for scholarly research and not otherwise available to the 
public; and

[[Page 90155]]

    (ii) Is not an integral part of an institution of higher education; 
and
    (6) A private library, but only if the state in which such private 
library is located determines that the library should be considered a 
library for the purposes of this definition.
    Library consortium. A ``library consortium'' is any local, 
statewide, Tribal, regional, or interstate cooperative association of 
libraries that provides for the systematic and effective coordination 
of the resources of schools, and public, academic, and special 
libraries and information centers, for improving services to the 
clientele of such libraries. For the purposes of these rules, 
references to library will also refer to library consortium.
    National School Lunch Program. The ``National School Lunch 
Program'' is a program administered by the U.S. Department of 
Agriculture and state agencies that provides free or reduced price 
lunches to economically disadvantaged children. A child whose family 
income is between 130 percent and 185 percent of applicable family size 
income levels contained in the nonfarm poverty guidelines prescribed by 
the Office of Management and Budget is eligible for a reduced price 
lunch. A child whose family income is 130 percent or less of applicable 
family size income levels contained in the nonfarm income poverty 
guidelines prescribed by the Office of Management and Budget is 
eligible for a free lunch.
    Pre-discount price. The ``pre-discount price'' means, in this 
subpart, the price the service provider agrees to accept as total 
payment for its eligible services and equipment. This amount is the sum 
of the amount the service provider expects to receive from the eligible 
school, library, or consortium, and the amount it expects to receive as 
reimbursement from the Schools and Libraries Cybersecurity Pilot 
Program for the discounts provided under this subpart.
    Secondary school. A ``secondary school'' means a secondary school 
as defined in 20 U.S.C. 7801(38), a non-profit institutional day or 
residential school, including a public secondary charter school, that 
provides secondary education, as determined under state law except that 
the term does not include any education beyond grade 12.
    Tribal. An entity is ``Tribal'' if it is a school operated by or 
receiving funding from the Bureau of Indian Education (BIE), or if it 
is a school or library operated by any Tribe, Band, Nation, or other 
organized group or community, including any Alaska native village, 
regional corporation, or village corporation (as defined in, or 
established pursuant to, the Alaska Native Claims Settlement Act (43 
U.S.C. 1601 et seq.) that is recognized as eligible for the special 
programs and services provided by the United States to Indians because 
of their status as Indians.


Sec.  54.2001  Budget and Duration.

    (a) Budget. The Schools and Libraries Cybersecurity Pilot Program 
shall have a cap of $200 million.
    (b) Duration. The Schools and Libraries Cybersecurity Pilot Program 
shall make funding available to applicants selected to participate (in 
accordance with Sec.  54.2004 of this subpart) for three years, to 
begin when selected applicants are first eligible to receive eligible 
services and equipment.


Sec.  54.2002  Eligible Recipients.

    (a) Schools.
    (1) Only schools meeting the statutory definition of ``elementary 
school'' or ``secondary school'' as defined in Sec.  54.2000, and not 
excluded under paragraphs (a)(2) or (3) of this section shall be 
eligible for discounts on supported services under this subpart.
    (2) Schools operating as for-profit businesses shall not be 
eligible for discounts under this subpart.
    (3) Schools with endowments exceeding $50,000,000 shall not be 
eligible for discounts under this subpart.
    (b) Libraries.
    (1) Only libraries eligible for assistance from a State library 
administrative agency under the Library Services and Technology Act (20 
U.S.C. 9122) and not excluded under paragraph (b)(2) or (3) of this 
section shall be eligible for discounts under this subpart.
    (2) Except as provided in paragraph (b)(4) of this section, a 
library's eligibility for universal service funding shall depend on its 
funding as an independent entity. Only libraries whose budgets are 
completely separate from any schools (including, but not limited to, 
elementary and secondary schools, colleges, and universities) shall be 
eligible for discounts as libraries under this subpart.
    (3) Libraries operating as for-profit businesses shall not be 
eligible for discounts under this subpart.
    (4) A Tribal college or university library that serves as a public 
library by having dedicated library staff, regular hours, and a 
collection available for public use in its community shall be eligible 
for discounts under this subpart.
    (c) Consortia.
    (1) For consortia, discounts under this subpart shall apply only to 
the portion of eligible services and equipment used by eligible schools 
and libraries.
    (2) Service providers shall keep and retain records of rates 
charged to and discounts allowed for eligible schools and libraries on 
their own or as part of a consortium. Such records shall be available 
for public inspection.


Sec.  54.2003  Eligible Services and Equipment.

    (a) Supported services and equipment. All supported services and 
equipment are listed in the Schools and Libraries Cybersecurity Pilot 
Program Eligible Services List, as updated in accordance with paragraph 
(b) of this section. The services and equipment in this subpart will be 
supported in addition to all reasonable charges that are incurred by 
taking such services, such as state and federal taxes. Charges for 
termination liability, penalty surcharges, and other charges not 
included in the cost of taking such service shall not be covered by the 
universal service support mechanisms.
    (b) Schools and Libraries Cybersecurity Pilot Program Eligible 
Services List Process. The Wireline Competition Bureau will release a 
list of services and equipment eligible for support prior to the 
opening of the Pilot Participant Selection Application Window, in 
accordance with Sec.  54.2004. The Wireline Competition Bureau may, as 
needed, amend the list of services and equipment eligible for support 
prior to the termination of the Schools and Libraries Cybersecurity 
Pilot Program, in accordance with Sec.  54.2001.
    (c) Prohibition on resale. Eligible supported services and 
equipment shall not be sold, resold, or transferred in consideration of 
money or any other thing of value, until the conclusion of the Schools 
and Libraries Cybersecurity Pilot Program, as provided in Sec.  
54.2001.


Sec.  54.2004  Application for Selection in the Pilot Program.

    (a) The Wireline Competition Bureau will announce the opening of 
the Pilot Participant Selection Application Window. Eligible recipients 
shall have no less than sixty (60) days to submit a Pilot Participant 
Selection Application, following the opening of the window.
    (b) The Wireline Competition Bureau shall announce those eligible 
applicants that have been selected to participate in the Schools and 
Libraries Cybersecurity Pilot Program no more than ninety (90) days 
following the close of the Pilot Participant Selection Application 
Window.
    (c) Filing the FCC Form 484.
    (1) Schools, libraries, or consortia of eligible schools and 
libraries to participate in the Schools and Libraries Cybersecurity 
Pilot Program shall

[[Page 90156]]

submit a completed FCC Form 484 to the Administrator. The FCC Form 484 
shall include, at a minimum, the following information:
    (i) Name, address, and contact information for the interested 
school or library. For school district or library system applicants, 
the name and address of all schools/libraries within the district/
system, and contact information for the district or library system.
    (ii) Description of the Pilot participant's current cybersecurity 
posture, including how the school or library is currently managing and 
addressing its current cybersecurity risks through prevention and 
mitigation tactics, and a description of its proposed advanced 
cybersecurity action plan should it be selected to participate in the 
Pilot program and receive funding.
    (iii) Description of any incident of unauthorized operational 
access to the Pilot participant's systems or equipment within a year of 
the date of its application; the date range of the incident; a 
description of the unauthorized access; the impact to the K-12 school 
or library; a description of the vulnerabilities exploited and the 
techniques used to access the system; and identifying information for 
each actor responsible for the incident, if known.
    (iv) Description of the Pilot participant's proposed use of the 
funding to protect its broadband network and data and improve its 
ability to address K-12 cyber concerns. This description should include 
the types of services and equipment the participant plans to purchase 
and the plan for implementing and using the Pilot-funded equipment and 
services to protect its broadband network and data, and improve its 
ability to manage and address its cybersecurity risks.
    (v) Description of how the Pilot participant plans to collect and 
track its progress in implementing the Pilot-funded equipment and 
services into its cybersecurity action plan, and for providing the 
required Pilot data, including the impact the funding had on its 
initial cybersecurity action plan that pre-dated implementation of 
Pilot efforts.
    (2) The FCC Form 484 shall be signed by a person authorized to 
submit the application to participate in the Pilot Program on behalf of 
the eligible school, library, or consortium, including such entities.
    (i) A person authorized to submit the application on behalf of the 
entities listed on an FCC Form 484 shall certify under oath that:
    (A) ``I am authorized to submit this application on behalf of the 
above-named applicant and that based on information known to me or 
provided to me by employees responsible for the data being submitted, I 
hereby certify that the data set forth in this form has been examined 
and is true, accurate, and complete. I acknowledge that any false 
statement on this application or on other documents submitted by this 
applicant can be punished by fine or forfeiture under the 
Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment 
under Title 18 of the United States Code (18 U.S.C. 1001), or can lead 
to liability under the False Claims Act (31 U.S.C. 3729-3733).''
    (B) ``In addition to the foregoing, this applicant is in compliance 
with the rules and orders governing the Schools and Libraries 
Cybersecurity Pilot Program, and I acknowledge that failure to be in 
compliance and remain in compliance with those rules and orders may 
result in the denial of funding, cancellation of funding commitments, 
and/or recoupment of past disbursements. I acknowledge that failure to 
comply with the rules and orders governing the Schools and Libraries 
Cybersecurity Pilot Program could result in civil or criminal 
prosecution by law enforcement authorities.''
    (C) ``By signing this application, I certify that the information 
contained in this form is true, complete, and accurate, and the 
projected expenditures, disbursements, and cash receipts are for the 
purposes and objectives set forth in the terms and conditions of the 
Federal award. I am aware that any false, fictitious, or fraudulent 
information, or the omission of any material fact, may subject me to 
criminal, civil or administrative penalties for fraud, false 
statements, false claims or otherwise. (U.S. Code Title 18, sections 
1001, 286-287 and 1341 and Title 31, sections 3729-3730 and 3801-
3812).''
    (D) The applicant recognizes that it may be audited pursuant to its 
application, that it will retain for ten years any and all records 
related to its application, and that, if audited, it shall produce such 
records at the request of any representative (including any auditor) 
appointed by a state education department, the Administrator, the 
Commission and its Office of Inspector General, or any local, state, or 
federal agency with jurisdiction over the entity.
    (E) I certify and acknowledge, under penalty of perjury, that if 
selected, the schools, libraries, and consortia in the application will 
comply with all applicable Schools and Libraries Cybersecurity Pilot 
Program rules, requirements, and procedures, including the competitive 
bidding rules and the requirement to pay the required share of the 
costs for the supported items from eligible sources.
    (F) I certify under penalty of perjury, to the best of my 
knowledge, that the schools, libraries, and consortia listed in the 
application are not already receiving or expecting to receive other 
funding (from any source, federal, state, Tribal, local, private, or 
other) that will pay for the same equipment and/or services for which I 
am seeking funding under the Schools and Libraries Cybersecurity Pilot 
Program.
    (G) I certify under penalty of perjury, to the best of my 
knowledge, that all requested equipment and services funded by the 
Schools and Libraries Cybersecurity Pilot Program will be used for 
their intended purposes.


Sec.  54.2005  Competitive Bidding Requirements.

    (a) All applicants selected to participate in the Schools and 
Libraries Cybersecurity Pilot Program must conduct a fair and open 
competitive bidding process, consistent with all requirements set forth 
in this subpart.
    (b) Competitive bid requirements. All applicants selected to 
participate in the Schools and Libraries Cybersecurity Pilot Program 
shall seek competitive bids, pursuant to the requirements established 
in this subpart, for all services and equipment eligible for support 
under Sec.  54.2003. These competitive bid requirements apply in 
addition to any applicable state, Tribal, and local competitive bid 
requirements and are not intended to preempt such state, Tribal, or 
local requirements.
    (c) Posting of FCC Form 470.
    (1) An applicant selected to participate in the Schools and 
Libraries Cybersecurity Pilot Program shall submit a completed FCC Form 
470 to the Administrator to initiate the competitive bidding process. 
The FCC Form 470 shall include, at a minimum, the following 
information:
    (i) A list of specified services and/or equipment for which the 
school, library, or consortium requests bids;
    (ii) Sufficient information to enable bidders to reasonably 
determine the needs of the applicant;
    (2) The FCC Form 470 shall be signed by a person authorized to 
request bids for eligible services and equipment for the eligible 
school, library, or consortium, including such entities, and shall 
include that person's certification under penalty of perjury that:
    (i) ``I am authorized to submit this application on behalf of the 
above-

[[Page 90157]]

named applicant and that based on information known to me or provided 
to me by employees responsible for the data being submitted, I hereby 
certify that the data set forth in this form has been examined and is 
true, accurate, and complete. I acknowledge that any false statement on 
this application or on other documents submitted by this applicant can 
be punished by fine or forfeiture under the Communications Act (47 
U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the 
United States Code (18 U.S.C. 1001), or can lead to liability under the 
False Claims Act (31 U.S.C. 3729-3733).''
    (ii) ``In addition to the foregoing, this applicant is in 
compliance with the rules and orders governing the Schools and 
Libraries Cybersecurity Pilot Program, and I acknowledge that failure 
to be in compliance and remain in compliance with those rules and 
orders may result in the denial of funding, cancellation of funding 
commitments, and/or recoupment of past disbursements. I acknowledge 
that failure to comply with the rules and orders governing the Schools 
and Libraries Cybersecurity Pilot Program could result in civil or 
criminal prosecution by law enforcement authorities.''
    (iii) ``By signing this application, I certify that the information 
contained in this form is true, complete, and accurate. I am aware that 
any false, fictitious, or fraudulent information, or the omission of 
any material fact, may subject me to criminal, civil or administrative 
penalties for fraud, false statements, false claims or otherwise. (U.S. 
Code Title 18, sections 1001, 286-287 and 1341 and Title 31, sections 
3729-3730 and 3801-3812).''
    (iv) The schools meet the statutory definition of ``elementary 
school'' or ``secondary school'' as defined in Sec.  54.2000, do not 
operate as for-profit businesses, and do not have endowments exceeding 
$50 million.
    (v) Libraries or library consortia eligible for assistance from a 
State library administrative agency under the Library Services and 
Technology Act of 1996 do not operate as for-profit businesses and, 
except for the limited case of Tribal college or university libraries, 
have budgets that are completely separate from any school (including, 
but not limited to, elementary and secondary schools, colleges, and 
universities).
    (vi) The services and/or equipment that the school, library, or 
consortium purchases at discounts will not be sold, resold, or 
transferred in consideration for money or any other thing of value, 
except as allowed by Sec.  54.2003(c).
    (vii) The school(s) and/or library(ies) listed on this FCC Form 470 
will not accept anything of value, other than services and equipment 
sought by means of this form, from the service provider, or any 
representatives or agent thereof or any consultant in connection with 
this request for services.
    (viii) All bids submitted for eligible equipment and services will 
be carefully considered, with price being the primary factor, and the 
bid selected will be for the most cost-effective service offering 
consistent with paragraph (e) of this section.
    (ix) The school, library, or consortium acknowledges that support 
under this Pilot Program is conditional upon the school(s) and/or 
library(ies) securing access, separately or through this program, to 
all of the resources necessary to effectively use the requested 
equipment and services. The school, library, or consortium recognizes 
that some of the aforementioned resources are not eligible for support 
and certifies that it has considered what financial resources should be 
available to cover these costs.
    (x) I will retain required documents for a period of at least 10 
years (or whatever retention period is required by the rules in effect 
at the time of this certification) after the later of the last day of 
the applicable funding year or the service delivery deadline for the 
associated funding request. I also certify that I will retain all 
documents necessary to demonstrate compliance with the statute and 
Commission rules regarding the form for, receipt of, and delivery of 
equipment and services receiving Schools and Libraries Cybersecurity 
Pilot Program discounts. I acknowledge that I may be audited pursuant 
to participation in the Pilot program.
    (xi) I certify that the equipment and services that the applicant 
purchases at discounts will be used primarily for educational purposes 
and will not be sold, resold or transferred in consideration for money 
or any other thing of value, except as permitted by the Commission's 
rules at 47 CFR 54.2003(c). Additionally, I certify that the entity or 
entities listed on this form will not accept anything of value or a 
promise of anything of value, other than services and equipment sought 
by means of this form, from the service provider, or any representative 
or agent thereof or any consultant in connection with this request for 
services.
    (xii) I acknowledge that support under this Pilot program is 
conditional upon the school(s) and/or library(ies) I represent securing 
access, separately or through this program, to all of the resources 
necessary to effectively use the requested equipment and services. I 
recognize that some of the aforementioned resources are not eligible 
for support. I certify that I have considered what financial resources 
should be available to cover these costs.
    (xiii) I certify that I have reviewed all applicable Commission, 
state, Tribal, and local procurement/competitive bidding requirements 
and that the applicant will comply with all applicable requirements.
    (3) The Administrator shall post each FCC Form 470 that it receives 
from an applicant selected to participate in the Schools and Libraries 
Cybersecurity Pilot Program on its website designated for this purpose.
    (4) After posting on the Administrator's website an FCC Form 470, 
the Administrator shall send confirmation of the posting to the 
applicant requesting services and/or equipment. The applicant shall 
then wait at least four weeks from the date on which its description of 
services and/or equipment is posted on the Administrator's website 
before making commitments with the selected providers of services and/
or equipment. The confirmation from the Administrator shall include the 
date after which the applicant may sign a contract with its chosen 
provider(s).
    (d) Gift Restrictions.
    (1) Subject to paragraphs (d)(3) and (4) of this section, an 
applicant selected to participate in the Schools and Libraries 
Cybersecurity Pilot Program may not directly or indirectly solicit or 
accept any gift, gratuity, favor, entertainment, loan, or any other 
thing of value from a service provider participating in or seeking to 
participate in the Schools and Libraries Cybersecurity Pilot Program. 
No such service provider shall offer or provide any such gift, 
gratuity, favor, entertainment, loan, or other thing of value except as 
otherwise provided herein. Modest refreshments not offered as part of a 
meal, items with little intrinsic value intended solely for 
presentation, and items worth $20 or less, including meals, may be 
offered or provided, and accepted by any individuals or entities 
subject to this rule, if the value of these items received by any 
individual does not exceed $50 from any one service provider per year. 
The $50 amount for any service provider shall be calculated as the 
aggregate value of all gifts provided during a year by the individuals 
specified in paragraph (d)(2)(ii) of this section.
    (2) For purposes of this paragraph:
    (i) The term ``applicant selected to participate in the Schools and 
Libraries

[[Page 90158]]

Cybersecurity Pilot Program'' includes all individuals who are on the 
governing boards of such entities (such as members of a school 
committee), and all employees, officers, representatives, agents, 
consultants, or independent contractors of such entities involved on 
behalf of such school, library, or consortium with the Schools and 
Libraries Cybersecurity Pilot Program, including individuals who 
prepare, approve, sign, or submit applications, or other forms related 
to the Schools and Libraries Cybersecurity Pilot Program, or who 
prepare bids, communicate, or work with Schools and Libraries 
Cybersecurity Pilot Program service providers, Schools and Libraries 
Cybersecurity Pilot Program consultants, or with the Administrator, as 
well as any staff of such entities responsible for monitoring 
compliance with the Schools and Libraries Cybersecurity Pilot Program; 
and
    (ii) The term ``service provider'' includes all individuals who are 
on the governing boards of such an entity (such as members of the board 
of directors), and all employees, officers, representatives, agents, 
consultants, or independent contractors of such entities.
    (3) The restrictions set forth in this paragraph shall not be 
applicable to the provision of any gift, gratuity, favor, 
entertainment, loan, or any other thing of value, to the extent given 
to a family member or a friend working for an eligible school, library, 
or consortium that includes an eligible school or library, provided 
that such transactions:
    (i) Are motivated solely by a personal relationship,
    (ii) Are not rooted in any service provider business activities or 
any other business relationship with any such applicant selected to 
participate in the Schools and Libraries Cybersecurity Pilot Program, 
and
    (iii) Are provided using only the donor's personal funds that will 
not be reimbursed through any employment or business relationship.
    (4) Any service provider may make charitable donations to an 
applicant selected to participate in the Schools and Libraries 
Cybersecurity Pilot Program in the support of its programs as long as 
such contributions are not directly or indirectly related to Schools 
and Libraries Cybersecurity Pilot Program procurement activities or 
decisions and are not given by service providers to circumvent 
competitive bidding and other Schools and Libraries Cybersecurity Pilot 
Program rules.
    (e) Selecting a provider of eligible services. In selecting a 
provider of eligible services and equipment, applicants selected to 
participate in the Schools and Libraries Cybersecurity Pilot Program 
shall carefully consider all bids submitted and must select the most 
cost-effective service offering. In determining which service offering 
is the most cost-effective, entities may consider relevant factors 
other than the pre-discount prices submitted by providers, but price 
should be the primary factor considered.


Sec.  54.2006  Requests for Funding.

    (a) Filing of the FCC Form 471.
    (1) An applicant selected to participate in the Schools and 
Libraries Cybersecurity Pilot Program shall, upon entering into a 
signed contract or other legally binding agreement for eligible 
services and equipment, submit a completed FCC Form 471 to the 
Administrator.
    (2) The FCC Form 471 shall be signed by the person authorized to 
order eligible services or equipment for the applicant selected to 
participate in the Schools and Libraries Cybersecurity Pilot Program 
and shall include that person's certification under penalty of perjury 
that:
    (i) ``I am authorized to submit this application on behalf of the 
above-named applicant and that based on information known to me or 
provided to me by employees responsible for the data being submitted, I 
hereby certify that the data set forth in this application has been 
examined and is true, accurate, and complete. I acknowledge that any 
false statement on this application or on other documents submitted by 
this applicant can be punished by fine or forfeiture under the 
Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment 
under Title 18 of the United States Code (18 U.S.C. 1001), or can lead 
to liability under the False Claims Act (31 U.S.C. 3729-3733).''
    (ii) ``In addition to the foregoing, this applicant is in 
compliance with the rules and orders governing the Schools and 
Libraries Cybersecurity Pilot Program, and I acknowledge that failure 
to be in compliance and remain in compliance with those rules and 
orders may result in the denial of funding, cancellation of funding 
commitments, and/or recoupment of past disbursements. I acknowledge 
that failure to comply with the rules and orders governing the Schools 
and Libraries Cybersecurity Pilot Program could result in civil or 
criminal prosecution by law enforcement authorities.''
    (iii) ``By signing this application, I certify that the information 
contained in this application is true, complete, and accurate, and the 
projected expenditures, disbursements and cash receipts are for the 
purposes and objectives set forth in the terms and conditions of the 
federal award. I am aware that any false, fictitious, or fraudulent 
information, or the omission of any material fact, may subject me to 
criminal, civil or administrative penalties for fraud, false 
statements, false claims or otherwise. (U.S. Code Title 18, sections 
1001, 286-287 and 1341 and Title 31, sections 3729-3730 and 3801-
3812).''
    (iv) The school meets the statutory definition of ``elementary 
school'' or ``secondary school'' as defined in Sec.  54.2000, does not 
operate as for-profit businesses, and does not have endowments 
exceeding $50 million.
    (v) The library or library consortia is eligible for assistance 
from a State library administrative agency under the Library Services 
and Technology Act, does not operate as for-profit businesses and, 
except for the limited case of Tribal college and university libraries, 
have budgets that are completely separate from any school (including, 
but not limited to, elementary and secondary schools, colleges, and 
universities).
    (vi) The school, library, or consortium listed on the FCC Form 471 
application will pay the non-discount portion of the costs of the 
eligible services and/or equipment to the Service Provider(s).
    (vii) The school, library, or consortium listed on the FCC Form 471 
application has conducted a fair and open competitive bidding process 
and has complied with all applicable state, Tribal, or local laws 
regarding procurement of the equipment and services for which support 
is being sought.
    (viii) An FCC Form 470 was posted and that any related request for 
proposals (RFP) was made available for at least 28 days before 
considering all bids received and selecting a service provider. The 
school, library, or consortium listed on the FCC Form 471 application 
carefully considered all bids submitted and selected the most-cost-
effective bid in accordance with Sec.  54.2005(e), with price being the 
primary factor considered.
    (ix) The school, library, or consortium listed on the FCC Form 471 
application is only seeking support for eligible services and/or 
equipment.
    (x) The school, library, or consortia is not seeking Schools and 
Libraries Cybersecurity Pilot Program support or reimbursement for 
eligible services and/or equipment that have been purchased and 
reimbursed in full with other federal funding, targeted state funding, 
other external sources of targeted funding or targeted gifts, or are 
eligible

[[Page 90159]]

for discounts from the schools and libraries universal service support 
mechanism or another universal service support mechanism.
    (xi) The services and equipment the school, library, or consortium 
purchases using Schools and Libraries Cybersecurity Pilot Program 
support will be used primarily for educational purposes and will not be 
sold, resold, or transferred in consideration for money or any other 
thing of value, except as allowed by Sec.  54.2003(c).
    (xii) The school, library, or consortium will create and maintain 
an equipment and service inventory as required by Sec.  54.2010(a).
    (xiii) The school, library, or consortium has complied with all 
program rules and acknowledges that failure to do so may result in 
denial of funding and/or recovery of funding.
    (xiv) The school, library, or consortium acknowledges that it may 
be audited pursuant to its application, that it will retain for ten 
years any and all records related to its application, and that, if 
audited, it shall produce such records at the request of any 
representative (including any auditor) appointed by a state education 
department, the Administrator, the Commission and its Office of 
Inspector General, or any local, state, or federal agency with 
jurisdiction over the entity.
    (xv) No kickbacks, as defined in 41 U.S.C. 8701, were paid to or 
received by the applicant from anyone in connection with the Schools 
and Libraries Cybersecurity Pilot Program or the schools and libraries 
universal service support mechanism.
    (xvi) The school, library, or consortium acknowledges that 
Commission rules provide that persons who have been convicted of 
criminal violations or held civilly liable for certain acts arising 
from their participation in the universal service support mechanisms 
are subject to suspension and debarment from the program. The school, 
library, or consortium will institute reasonable measures to be 
informed, and will notify the Administrator should it be informed or 
become aware that any of the entities listed on this application, or 
any person associated in any way with this entity and/or the entities 
listed on this application, is convicted of a criminal violation or 
held civilly liable for acts arising from their participation in the 
universal service support mechanisms.
    (b) Service or Equipment Substitution.
    (1) A request by a Schools and Libraries Cybersecurity Pilot 
Program applicant to substitute service or equipment for one identified 
in its FCC Form 471 must be in writing and certified under perjury by 
an authorized person.
    (2) The Administrator shall approve such written request where:
    (i) The service or equipment has the same functionality;
    (ii) The substitution does not violate any contract provisions or 
state, Tribal, or local procurement laws; and
    (iii) The Schools and Libraries Cybersecurity Pilot Program 
participant certifies that the requested change is within the scope of 
the controlling FCC Form 470.
    (3) In the event that a service or equipment substitution results 
in a change in the pre-discount price for the supported service or 
equipment, support shall be based on the lower of either the pre-
discount price of the service or equipment for which support was 
originally requested or the pre-discount price of the new, substituted 
service or equipment after the Administrator has approved a written 
request for the substitution.
    (c) Mixed eligibility services and equipment. If the service or 
equipment includes both ineligible and eligible components, the 
applicant selected to participate in the Schools and Libraries 
Cybersecurity Pilot Program must remove the cost of the ineligible 
components of the service or equipment from the request for funding 
submitted to the Administrator.


Sec.  54.2007  Discounts.

    (a) Discount mechanism. Discounts for applicants selected to 
participate in the Schools and Libraries Cybersecurity Pilot Program 
shall be set as a percentage discount from the pre-discount price.
    (b) Discount percentages. The discounts available to applicants 
selected to participate in the Schools and Libraries Cybersecurity 
Pilot Program shall range from 20 percent to 90 percent of the pre-
discount price for all eligible services provided by eligible 
providers. The discounts available shall be determined by indicators of 
poverty and urban/rurality designation.
    (1) For schools and school districts, the level of poverty shall be 
based on the percentage of the student enrollment that is eligible for 
a free or reduced price lunch under the National School Lunch Program 
or a federally-approved alternative mechanism. School districts shall 
divide the total number of students eligible for the National School 
Lunch Program within the school district by the total number of 
students within the school district to arrive at a percentage of 
students eligible. This percentage rate shall then be applied to the 
discount matrix to set a discount rate for the supported services 
purchased by all schools within the school district. Independent 
charter schools, private schools, and other eligible educational 
facilities should calculate a single discount percentage rate based on 
the total number of students under the control of the central 
administrative agency.
    (2) For libraries and library consortia, the level of poverty shall 
be based on the percentage of the student enrollment that is eligible 
for a free or reduced price lunch under the National School Lunch 
Program or a federally-approved alternative mechanism in the public 
school district in which they are located and should use that school 
district's level of poverty to determine their discount rate when 
applying as a library system or as an individual library outlet within 
that system. When a library system has branches or outlets in more than 
one public school district, that library system and all library outlets 
within that system should use the address of the central outlet or main 
administrative office to determine which school district the library 
system is in, and should use that school district's level of poverty to 
determine its discount rate when applying as a library system or as one 
or more library outlets. If the library is not in a school district, 
then its level of poverty shall be based on an average of the 
percentage of students eligible for the National School Lunch Program 
in each of the school districts that children living in the library's 
location attend.
    (3) The Administrator shall classify schools and libraries as 
``urban'' or ``rural'' according to the following designations. The 
Administrator shall designate a school or library as ``urban'' if the 
school or library is located in an urbanized area or urban cluster area 
with a population equal to or greater than 25,000, as determined by the 
most recent rural-urban classification by the Bureau of the Census. The 
Administrator shall designate all other schools and libraries as 
``rural.''
    (4) Applicants selected to participate in the Schools and Libraries 
Cybersecurity Pilot Program shall calculate discounts on supported 
services described in Sec.  54.2003 that are shared by two or more of 
their schools, libraries, or consortia members by calculating an 
average discount based on the applicable district-wide discounts of all 
member schools and libraries. School districts, library systems, or 
other billed entities shall ensure that, for each year in which an 
eligible school or library is included for purposes of calculating the 
aggregate discount rate, that eligible school or

[[Page 90160]]

library shall receive a proportionate share of the shared services for 
which support is sought. For schools, the discount shall be a simple 
average of the applicable district-wide percentage for all schools 
sharing a portion of the shared services. For libraries, the average 
discount shall be a simple average of the applicable discounts to which 
the libraries sharing a portion of the shared services are entitled.
    (c) Discount matrix. Except as provided in paragraph (d) of this 
section, the Administrator shall use the following matrix to set the 
discount rate to be applied to eligible services purchased by 
applicants selected to participate in the Schools and Libraries 
Cybersecurity Pilot Program based on the applicant's level of poverty 
and location in an ``urban'' or ``rural'' area.

------------------------------------------------------------------------
                                               Discount level
    % of students eligible for     -------------------------------------
   national school lunch program      Urban discount     Rural discount
------------------------------------------------------------------------
<1................................                 20                 25
1-19..............................                 40                 50
20-34.............................                 50                 60
35-49.............................                 60                 70
50-74.............................                 80                 80
75-100............................                 85                 85
------------------------------------------------------------------------

    (d) Tribal Library Discount Level. For the costs of eligible 
cybersecurity equipment and services, Tribal libraries at the highest 
discount level shall receive a 90 percent discount.
    (e) Payment for the non-discount portion of supported services and 
equipment. An applicant selected to participate in the Schools and 
Libraries Cybersecurity Pilot Program must pay the non-discount portion 
of costs for the services or equipment purchased with universal service 
discounts, and may not receive rebates for services or equipment 
purchased with universal service discounts. For the purpose of this 
rule, the provision, by the provider of a supported service or 
equipment, of free services or equipment unrelated to the supported 
service or equipment constitutes a rebate of the non-discount portion 
of the costs for the supported services and equipment.


Sec.  54.2008  Requests for reimbursement.

    (a) Submission of request for reimbursement (FCC Form 472 or FCC 
Form 474). Reimbursement for the costs associated with eligible 
services and equipment shall be provided directly to an applicant 
selected to participate, or service provider, seeking reimbursement 
from the Schools and Libraries Cybersecurity Pilot Program upon 
submission and approval of a completed FCC Form 472 (Billed Entity 
Applicant Reimbursement Form) or a completed FCC Form 474 (Service 
Provider Invoice) to the Administrator.
    (1) The FCC Form 472 shall be signed by the person authorized to 
submit requests for reimbursement for the eligible school, library, or 
consortium and shall include that person's certification under penalty 
of perjury that:
    (i) ``I am authorized to submit this request for reimbursement on 
behalf of the above-named school, library or consortium and that based 
on information known to me or provided to me by employees responsible 
for the data being submitted, I hereby certify that the data set forth 
in this request for reimbursement has been examined and is true, 
accurate, and complete. I acknowledge that any false statement on this 
request for reimbursement or on other documents submitted by this 
school, library, or consortium can be punished by fine or forfeiture 
under the Communications Act (47 U.S.C. 502, 503(b)), or fine or 
imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), 
or can lead to liability under the False Claims Act (31 U.S.C. 3729-
3733).''
    (ii) ``In addition to the foregoing, the school, library or 
consortium is in compliance with the rules and orders governing the 
Schools and Libraries Cybersecurity Pilot Program, and I acknowledge 
that failure to be in compliance and remain in compliance with those 
rules and orders may result in the denial of funding, cancellation of 
funding commitments, and/or recoupment of past disbursements. I 
acknowledge that failure to comply with the rules and orders governing 
the Schools and Libraries Cybersecurity Pilot Program could result in 
civil or criminal prosecution by law enforcement authorities.''
    (iii) ``By signing this request for reimbursement, I certify that 
the information contained in this request for reimbursement is true, 
complete, and accurate, and the expenditures, disbursements and cash 
receipts are for the purposes and objectives set forth in the terms and 
conditions of the federal award. I am aware that any false, fictitious, 
or fraudulent information, or the omission of any material fact, may 
subject me to criminal, civil or administrative penalties for fraud, 
false statements, false claims or otherwise. (U.S. Code Title 18, 
sections 1001, 286-287 and 1341 and Title 31, sections 3729-3730 and 
3801-3812).''
    (iv) The funds sought in the request for reimbursement are for 
eligible services and/or equipment that were purchased in accordance 
with the Schools and Libraries Cybersecurity Pilot Program rules and 
requirements in this subpart and received by the school, library, or 
consortium. The equipment and/or services being requested for 
reimbursement were determined to be eligible and approved by the 
Administrator.
    (v) The non-discounted share of costs amount(s) were billed by the 
Service Provider and paid for by the Billed Entity Applicant on behalf 
of the eligible schools, libraries, and consortia of those entities.
    (vi) The school, library, or consortium is not seeking Schools and 
Libraries Cybersecurity Pilot Program reimbursement for eligible 
services and/or equipment that have been purchased and reimbursed in 
full with other federal, targeted state funding, other external sources 
of targeted funding, or targeted gifts or are eligible for discounts 
from the schools and libraries universal service support mechanism or 
other universal service support mechanisms.
    (vii) The school, library, or consortium acknowledges that it must 
submit invoices detailing the items purchased along with the submission 
of its request for reimbursement as required by Sec.  54.2008(b).
    (viii) The equipment and/or services the school, library, or 
consortium purchased will not be sold, resold, or transferred in 
consideration for money or any other thing of value, except as allowed 
by Sec.  54.2003(c).
    (ix) The school, library, or consortium acknowledges that it may be 
subject to an audit, inspection or investigation pursuant to its 
request for reimbursement, that it will retain for ten

[[Page 90161]]

years any and all records related to its request for reimbursement, and 
will make such records and equipment purchased with Schools and 
Libraries Cybersecurity Pilot Program reimbursement available at the 
request of any representative (including any auditor) appointed by a 
state education department, the Administrator, the Commission and its 
Office of Inspector General, or any local, state, or federal agency 
with jurisdiction over the entity.
    (x) No kickbacks, as defined in 41 U.S.C. 8701, were paid to or 
received by the applicant from anyone in connection with the Schools 
and Libraries Cybersecurity Pilot Program or the schools and libraries 
universal service support mechanism.
    (xi) The school, library, or consortium acknowledges that 
Commission rules provide that persons who have been convicted of 
criminal violations or held civilly liable for certain acts arising 
from their participation in the universal service support mechanisms 
are subject to suspension and debarment from the program. The school, 
library, or consortium will institute reasonable measures to be 
informed, and will notify the Administrator should it be informed or 
become aware that any of the entities listed on this application, or 
any person associated in any way with this entity and/or the entities 
listed on this application, is convicted of a criminal violation or 
held civilly liable for acts arising from their participation in the 
universal service support mechanisms.
    (xii) No universal service support has been or will be used to 
purchase, obtain, maintain, improve, modify, or otherwise support any 
equipment or services produced or provided by any company designated by 
the Federal Communications Commission as posing a national security 
threat to the integrity of communications networks or the 
communications supply chain since the effective date of the 
designations.
    (xiii) No federal subsidy made available through a program 
administered by the Commission that provides funds to be used for the 
capital expenditures necessary for the provision of advanced 
communications services has been or will be used to purchase, rent, 
lease, or otherwise obtain, any covered communications equipment or 
service, or maintain, any covered communications equipment or service, 
or maintain any covered communications equipment or service previously 
purchased, rented, leased, or otherwise obtained, as required by Sec.  
54.10.
    (2) The FCC Form 474 shall be signed by the person authorized to 
submit requests for reimbursement for the service provider and shall 
include that person's certification under penalty of perjury that:
    (i) ``I am authorized to submit this request for reimbursement on 
behalf of the above-named Service Provider and that based on 
information known to me or provided to me by employees responsible for 
the data being submitted, I hereby certify that the data set forth in 
this request for reimbursement has been examined and is true, accurate 
and complete. I acknowledge that any false statement on this request 
for reimbursement or on other documents submitted by this Service 
Provider can be punished by fine or forfeiture under the Communications 
Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of 
the United States Code (18 U.S.C. 1001), or can lead to liability under 
the False Claims Act (31 U.S.C. 3729-3733).''
    (ii) ``In addition to the foregoing, the Service Provider is in 
compliance with the rules and orders governing the Schools and 
Libraries Cybersecurity Pilot Program, and I acknowledge that failure 
to be in compliance and remain in compliance with those rules and 
orders may result in the denial of funding, cancellation of funding 
commitments, and/or recoupment of past disbursements. I acknowledge 
that failure to comply with the rules and orders governing the Schools 
and Libraries Cybersecurity Pilot Program could result in civil or 
criminal prosecution by law enforcement authorities.''
    (iii) ``By signing this request for reimbursement, I certify that 
the information contained in this request for reimbursement is true, 
complete, and accurate, and the expenditures, disbursements and cash 
receipts are for the purposes and objectives set forth in the terms and 
conditions of the federal award. I am aware that any false, fictitious, 
or fraudulent information, or the omission of any material fact, may 
subject me to criminal, civil or administrative penalties for fraud, 
false statements, false claims or otherwise. (U.S. Code Title 18, 
sections 1001, 286-287 and 1341 and Title 31, sections 3729-3730 and 
3801-3812).''
    (iv) The funds sought in the request for reimbursement are for 
eligible services and/or equipment that were purchased or ordered in 
accordance with the Schools and Libraries Cybersecurity Pilot Program 
rules and requirements in this subpart and received by the school, 
library, or consortium.
    (v) The Service Provider is not seeking Schools and Libraries 
Cybersecurity Pilot Program reimbursement for eligible equipment and/or 
services for which it has already been paid.
    (vi) The Service Provider certifies that the school's, library's, 
or consortium's non-discount portion of costs for the eligible 
equipment and services has not been waived, paid, or promised to be 
paid by this Service Provider. The Service Provider acknowledges that 
the provision of a supported service or free services or equipment 
unrelated to the supported equipment or services constitutes a rebate 
of the non-discount portion of the costs as stated in Sec.  54.2007(e).
    (vii) The Service Provider acknowledges that it must submit 
invoices detailing the items purchased along with the submission of its 
request for reimbursement as required by Sec.  54.2008(b).
    (viii) The Service Provider certifies that it is compliant with the 
Commission's rules and orders regarding gifts and this Service Provider 
has not directly or indirectly offered or provided any gifts, 
gratuities, favors, entertainment, loans, or any other thing of value 
to any eligible school, library, or consortium, except as provided for 
at Sec.  54.2005(d).
    (ix) The service provider acknowledges that it may be subject to an 
audit, inspection, or investigation pursuant to its request for 
reimbursement, that it will retain for ten years any and all records 
related to its request for reimbursement, and will make such records 
and equipment purchased with Schools and Libraries Cybersecurity Pilot 
Program reimbursement available at the request of any representative 
(including any auditor) appointed by a state education department, the 
Administrator, the Commission and its Office of Inspector General, or 
any local, state, or federal agency with jurisdiction over the entity.
    (x) No kickbacks, as defined in 41 U.S.C. 8701, were paid by the 
Service Provider to anyone in connection with the Schools and Libraries 
Cybersecurity Pilot Program or the schools and libraries universal 
service support mechanism.
    (xi) The Service Provider is not debarred or suspended from any 
Federal programs, including the universal service support mechanisms.
    (xii) No universal service support has been or will be used to 
purchase, obtain, maintain, improve, modify, or otherwise support any 
equipment or services produced or provided by any company designated by 
the Federal Communications Commission as posing a national security 
threat to the integrity

[[Page 90162]]

of communications networks or the communications supply chain since the 
effective date of the designations.
    (xiii) No federal subsidy made available through a program 
administered by the Commission that provides funds to be used for the 
capital expenditures necessary for the provision of advanced 
communications services has been or will be used to purchase, rent, 
lease, or otherwise obtain, any covered communications equipment or 
service, or maintain any covered communications equipment or service, 
or maintain any covered communications equipment or service previously 
purchased, rented, leased, or otherwise obtained, as required by Sec.  
54.10.
    (b) Required documentation. Along with the submission of a 
completed FCC Form 472 or a completed FCC Form 474, an applicant 
selected to participate, or service provider, seeking reimbursement 
from the Schools and Libraries Cybersecurity Pilot Program must submit 
invoices detailing the items purchased to the Administrator at the time 
the FCC Form 472 or FCC Form 474 is submitted.
    (c) Reimbursement and invoice processing. The Administrator shall 
accept and review requests for reimbursement and invoices subject to 
the invoice filing deadlines provided in paragraph (d) of this section.
    (d) Invoice filing deadline. Invoices must be submitted to the 
Administrator within ninety (90) days after the last date to receive 
service, in accordance with Sec.  54.2001.
    (e) Invoice deadline extensions. In advance of the deadline 
calculated pursuant to paragraph (c) of this section, billed entities 
or service providers may request a one-time extension of the invoice 
filing deadline. The Administrator shall grant a ninety (90) day 
extension of the invoice filing deadline, if the request is timely 
filed.


Sec.  54.2009  Audits, Inspections, and Investigations.

    (a) Audits. Schools and Libraries Cybersecurity Pilot Program 
participants shall be subject to audits and other investigations to 
evaluate their compliance with the statutory and regulatory 
requirements for the Schools and Libraries Cybersecurity Pilot Program, 
including those requirements pertaining to what services and equipment 
are purchased, what services and equipment are delivered, and how 
services and equipment are being used.
    (b) Inspections and investigations. Schools and Libraries 
Cybersecurity Pilot Program participants shall permit any 
representative (including any auditor) appointed by a state education 
department, the Administrator, the Commission, its Office of Inspector 
General, or any local, state or federal agency with jurisdiction over 
the entity to enter their premises to conduct inspections for 
compliance with the statutory and regulatory requirements in this 
subpart of the Schools and Libraries Cybersecurity Pilot Program.


Sec.  54.2010  Records Retention and Production.

    (a) Recordkeeping requirements. All Schools and Libraries 
Cybersecurity Pilot Program participants shall retain all documents 
related to their participation in the program sufficient to demonstrate 
compliance with all program rules for at least 10 years from the last 
date of service or delivery of equipment. All Schools and Libraries 
Cybersecurity Pilot Program applicants shall maintain asset and 
inventory records of services and equipment purchased sufficient to 
verify the actual location of such services and equipment for a period 
of 10 years after purchase.
    (b) Production of records. All Schools and Libraries Cybersecurity 
Pilot Program participants shall present such records upon request of 
any representative (including any auditor) appointed by a state 
education department, the Administrator, the Commission, its Office of 
the Inspector General, or any local, state or federal agency with 
jurisdiction over the entity.


Sec.  54.2011  Administrator of the Schools and Libraries Cybersecurity 
Pilot Program.

    (a) The Universal Service Administrative Company is appointed the 
permanent Administrator of the Schools and Libraries Cybersecurity 
Pilot Program and shall be responsible for administering the Schools 
and Libraries Cybersecurity Pilot Program.
    (b) The Administrator shall be responsible for reviewing 
applications for funding, recommending funding commitments, issuing 
funding commitment decision letters, reviewing invoices and 
recommending payment of funds, as well as other administration related 
duties.
    (c) The Administrator may not make policy, interpret unclear 
provisions of statutes or rules, or interpret the intent of Congress. 
Where statutes or the Commission's rules in this subpart are unclear, 
or do not address a particular situation, the Administrator shall seek 
guidance from the Commission.
    (d) The Administrator may advocate positions before the Commission 
and its staff only on administrative matters relating to the Schools 
and Libraries Cybersecurity Pilot Program.
    (e) The Administrator shall create and maintain a website, as 
defined in Sec.  54.5, on which applications for services will be 
posted on behalf of schools and libraries.
    (f) The Administrator shall provide the Commission full access to 
the data collected pursuant to the administration of the Schools and 
Libraries Cybersecurity Pilot Program.
    (g) The administrator shall provide performance measurements 
pertaining to the Schools and Libraries Cybersecurity Pilot Program as 
requested by the Commission by order or otherwise.
    (h) The Administrator shall have the authority to audit all 
entities reporting data to the Administrator regarding the Schools and 
Libraries Cybersecurity Pilot Program. When the Commission, the 
Administrator, or any independent auditor hired by the Commission or 
the Administrator, conducts audits of the participants of the Schools 
and Libraries Cybersecurity Pilot Program, such audits shall be 
conducted in accordance with generally accepted government auditing 
standards.
    (i) The Administrator shall establish procedures to verify support 
amounts provided by the Schools and Libraries Cybersecurity Pilot 
Program and may suspend or delay support amounts if a party fails to 
provide adequate verification of the support amounts provided upon 
reasonable request from the Administrator or the Commission.
    (j) The Administrator shall make available to whomever the 
Commission directs, free of charge, any and all intellectual property, 
including, but not limited to, all records and information generated by 
or resulting from its role in administering the support mechanisms, if 
its participation in administering the Schools and Libraries 
Cybersecurity Pilot Program ends. If its participation in administering 
the Schools and Libraries Cybersecurity Pilot Program ends, the 
Administrator shall be subject to close-out audits at the end of its 
term.


Sec.  54.2012  Appeal and waiver requests.

    (a) Parties permitted to seek review of Administrator decision.
    (1) Any party aggrieved by an action taken by the Administrator 
must first seek review from the Administrator.
    (2) Any party aggrieved by an action taken by the Administrator 
under paragraph (a)(1) of this section may seek review from the Federal 
Communications Commission as set forth in paragraph (b) of this 
section.
    (3) Parties seeking waivers of the Commission's rules in this 
subpart shall seek relief directly from the Commission and need not 
first file an action for

[[Page 90163]]

review from the Administrator under paragraph (a)(1) of this section.
    (b) Filing deadlines.
    (1) An affected party requesting review of a decision by the 
Administrator pursuant to paragraph (a)(1) of this section shall file 
such a request within thirty (30) days from the date the Administrator 
issues a decision.
    (2) An affected party requesting review by the Commission pursuant 
to paragraph (a)(2) of this section of a decision by the Administrator 
under paragraph (a)(1) of this section shall file such a request with 
the Commission within thirty (30) days from the date of the 
Administrator's decision. Further, any party seeking a waiver of the 
Commission's rules under paragraph (a)(3) of this section shall file a 
request for such waiver within thirty (30) days from the date of the 
Administrator's initial decision, or, if an appeal is filed under 
paragraph (a)(1) of this section, within thirty days from the date of 
the Administrator's decision resolving such an appeal.
    (3) Parties shall adhere to the time periods for filing oppositions 
and replies set forth in Sec.  1.45 of this chapter.
    (c) General filing requirements.
    (1) Except as otherwise provided in this section, a request for 
review of an Administrator decision by the Commission shall be filed 
with the Commission's Office of the Secretary in accordance with the 
general requirements set forth in part 1 of this chapter. The request 
for review shall be captioned ``In the Matter of Request for Review by 
(name of party seeking review) of Decision of Universal Service 
Administrator'' and shall reference the applicable docket numbers.
    (2) A request for review pursuant to paragraphs (a)(1) through (3) 
of this section shall contain:
    (i) A statement setting forth the party's interest in the matter 
presented for review;
    (ii) A full statement of relevant, material facts with supporting 
affidavits and documentation;
    (iii) The question presented for review, with reference, where 
appropriate, to the relevant Commission rule, Commission order, or 
statutory provision; and;
    (iv) A statement of the relief sought and the relevant statutory or 
regulatory provision pursuant to which such relief is sought.
    (3) A copy of a request for review that is submitted to the 
Commission shall be served on the Administrator consistent with the 
requirement for service of documents set forth in Sec.  1.47 of this 
chapter.
    (4) If a request for review filed pursuant to paragraphs (a)(1) 
through (3) of this section alleges prohibitive conduct on the part of 
a third party, such request for review shall be served on the third 
party consistent with the requirement for service of documents set 
forth in Sec.  1.47 of this chapter. The third party may file a 
response to the request for review. Any response filed by the third 
party shall adhere to the time period for filing replies set forth in 
Sec.  1.45 of this chapter and the requirement for service of documents 
set forth in Sec.  1.47 of this chapter.
    (d) Review by the Wireline Competition Bureau or the Commission.
    (1) Requests for review of Administrator decisions that are 
submitted to the Federal Communications Commission shall be considered 
and acted upon by the Wireline Competition Bureau; provided, however, 
that requests for review that raise novel questions of fact, law, or 
policy shall be considered by the full Commission.
    (2) An affected party may seek review of a decision issued under 
delegated authority by the Wireline Competition Bureau pursuant to the 
rules set forth in part 1 of this chapter.
    (e) Standard of review.
    (1) The Wireline Competition Bureau shall conduct de novo review of 
requests for review of decisions issued by the Administrator.
    (2) The Commission shall conduct de novo review of requests for 
review of decisions by the Administrator that involve novel questions 
of fact, law, or policy; provided, however, that the Commission shall 
not conduct de novo review of decisions issued by the Wireline 
Competition Bureau under delegated authority.
    (f) Schools and Libraries Cybersecurity Pilot Program disbursements 
during pendency of a request for review and Administrator decision. 
When a party has sought review of an Administrator decision under 
paragraphs (a)(1) through (3) of this section, the Commission shall not 
process a request for the reimbursement of eligible equipment and/or 
services until a final decision has been issued either by the 
Administrator or by the Commission; provided, however, that the 
Commission may authorize disbursement of funds for any amount of 
support that is not the subject of an appeal.

[FR Doc. 2023-27811 Filed 12-28-23; 8:45 am]
BILLING CODE 6712-01-P